Menu
▾
▴
Re: [Ejbca-develop] EJBCA Puppet integration?
|
From: Gémes G. <ge...@kz...> - 2013-06-15 10:56:58
|
2013-06-15 10:04 keltezéssel, Branko Majic írta: > On Fri, 14 Jun 2013 21:58:57 +0200 > Gémes Géza <ge...@kz...> wrote: > >> Hi, >> >> I'm trying to deploy puppet to our network, and as it uses a PKI to >> authenticate client systems I'm interested to know if anyone is using >> EJBCA as an external CA (having all systems an EJBCA signed certificate) >> or as a top level CA (having EJBCA sign the puppetmaster certificate and >> let it sign the certificates of client systems). >> >> Thank you! >> >> Cheers >> >> Geza Gemes > Hello Géza, > > As far as I know, nobody has done this. I've actually been at some > point curious if such thing could be done with Puppet, though. It would > probably be necessary to modularise the certificate-related code in > Puppet and implement a web service-based client in Ruby for use with > EJBCA. > > Best regards > > Hi Branko, I wasn't thinking about a close integration as having puppet ca manipulate ejbca certificates, which would be also nice, but not strictly necessary for integration. Puppet can work without the ca component (http://docs.puppetlabs.com/puppet/3/reference/config_ssl_external_ca.html), at least starting from 3.2. What I was hoping to get confirmation on is that there are adequate EJBCA certificate profiles for signing master and agent certificates and some example scep (e.g. jscep scripts) to renew the certs of master/agent. If no certificate profiles exist, the other working option would be to create a subCA for puppet master. Cheers Geza Gemes |
