Menu
▾
▴
Re: [Ejbca-develop] EJBCA Puppet integration?
|
From: Branko M. <br...@ma...> - 2013-06-16 15:11:49
|
On Sat, 15 Jun 2013 12:56:35 +0200 Gémes Géza <ge...@kz...> wrote: > 2013-06-15 10:04 keltezéssel, Branko Majic írta: > > On Fri, 14 Jun 2013 21:58:57 +0200 > > Gémes Géza <ge...@kz...> wrote: > > > >> Hi, > >> > >> I'm trying to deploy puppet to our network, and as it uses a PKI to > >> authenticate client systems I'm interested to know if anyone is using > >> EJBCA as an external CA (having all systems an EJBCA signed certificate) > >> or as a top level CA (having EJBCA sign the puppetmaster certificate and > >> let it sign the certificates of client systems). > >> > >> Thank you! > >> > >> Cheers > >> > >> Geza Gemes > > Hello Géza, > > > > As far as I know, nobody has done this. I've actually been at some > > point curious if such thing could be done with Puppet, though. It would > > probably be necessary to modularise the certificate-related code in > > Puppet and implement a web service-based client in Ruby for use with > > EJBCA. > > > > Best regards > > > > > Hi Branko, > > I wasn't thinking about a close integration as having puppet ca > manipulate ejbca certificates, which would be also nice, but not > strictly necessary for integration. Puppet can work without the ca > component > (http://docs.puppetlabs.com/puppet/3/reference/config_ssl_external_ca.html), > at least starting from 3.2. What I was hoping to get confirmation on is > that there are adequate EJBCA certificate profiles for signing master > and agent certificates and some example scep (e.g. jscep scripts) to > renew the certs of master/agent. If no certificate profiles exist, the > other working option would be to create a subCA for puppet master. > > Cheers > > Geza Gemes I haven't had a look at Puppet-created certificates, but my guess you could use the standard server and client certificate profiles (SERVER and ENDUSER) - the important part is probably just the client/server EKU. Best regards -- Branko Majic Jabber: br...@ma... Please use only Free formats when sending attachments to me. Бранко Мајић Џабер: br...@ma... Молим вас да додатке шаљете искључиво у слободним форматима. |
