Menu
▾
▴
Re: [Ejbca-develop] EJBCA Puppet integration?
|
From: Gémes G. <ge...@kz...> - 2013-06-17 03:50:25
|
2013-06-16 17:11 keltezéssel, Branko Majic írta: > On Sat, 15 Jun 2013 12:56:35 +0200 > Gémes Géza <ge...@kz...> wrote: > >> 2013-06-15 10:04 keltezéssel, Branko Majic írta: >>> On Fri, 14 Jun 2013 21:58:57 +0200 >>> Gémes Géza <ge...@kz...> wrote: >>> >>>> Hi, >>>> >>>> I'm trying to deploy puppet to our network, and as it uses a PKI to >>>> authenticate client systems I'm interested to know if anyone is using >>>> EJBCA as an external CA (having all systems an EJBCA signed certificate) >>>> or as a top level CA (having EJBCA sign the puppetmaster certificate and >>>> let it sign the certificates of client systems). >>>> >>>> Thank you! >>>> >>>> Cheers >>>> >>>> Geza Gemes >>> Hello Géza, >>> >>> As far as I know, nobody has done this. I've actually been at some >>> point curious if such thing could be done with Puppet, though. It would >>> probably be necessary to modularise the certificate-related code in >>> Puppet and implement a web service-based client in Ruby for use with >>> EJBCA. >>> >>> Best regards >>> >>> >> Hi Branko, >> >> I wasn't thinking about a close integration as having puppet ca >> manipulate ejbca certificates, which would be also nice, but not >> strictly necessary for integration. Puppet can work without the ca >> component >> (http://docs.puppetlabs.com/puppet/3/reference/config_ssl_external_ca.html), >> at least starting from 3.2. What I was hoping to get confirmation on is >> that there are adequate EJBCA certificate profiles for signing master >> and agent certificates and some example scep (e.g. jscep scripts) to >> renew the certs of master/agent. If no certificate profiles exist, the >> other working option would be to create a subCA for puppet master. >> >> Cheers >> >> Geza Gemes > I haven't had a look at Puppet-created certificates, but my guess you > could use the standard server and client certificate profiles (SERVER > and ENDUSER) - the important part is probably just the client/server > EKU. > > Best regards > Thank you! Will try to find out what extended key usage puppet is requiring. Cheers Geza Gemes |
