[Pkg-puppet-devel] Bug#525850: Bug#525850: puppet: Requesting new certificate will overwrite CA certificate

[Ansgar Burchardt]

Hi,

Micah Anderson <micah at riseup.net> writes:

> * Ansgar Burchardt <ansgar at mathi.uni-heidelberg.de> [2009-04-27 10:24-0400]:
>> When puppet initially requests a certificate from puppetmaster, it will
>> overwrite the CA certificate even if it is already present.
>
> Do you mean to say that if you have a signed certificate on the
> puppetmaster for host 'foo.bar.org' and then you reinstall the system
> 'foo' and run puppet again you do not want the existing certificate
> re-generated?
>
> I'm a little confused by your use of the terms "CA certificate". To me,
> CA means "Certificate Authority" and I'm not sure how you are using that
> in this context.

I mean the public key of the certificate authority used to sign the
Puppetmaster's public key (the file "localcacert" refers to on the
client).  There is no reason to overwrite this key when Puppet gets a
new host key.

We have the following setup using two CAs:

 * example.com certification authority
   - signs: puppet.example.com
   - installed on clients as $localcacert before Puppet is started the
     first time.
   - should be trusted by clients

 * puppet.example.com certification authority
   - signs client certificates via puppetca
   - should *not* be trusted by clients
   - used by the server to identify client name

When puppet starts the first time on a client, it asks
puppet.example.com to sign the client.example.com certificate.
It will install the signed certificate, *but* it will also install the
puppet.example.com CA certificate, overwriting the example.com CA
certificate already present.  The client will then not trust the
puppet.example.com certificate...

I may miss some option to tell puppetca/puppetmaster which CA cert to
send to the clients, but there should be no need to overwrite the CA
certificate already installed on the clients in any case.

Regards,
Ansgar