Magisus · September 10, 2018 23:06
diff --git a/external-ca b/external-ca
 1) Create self-signed root CA cert
 2) Create CSR for intermediate CA cert
 3) Sign with root
 4) Create CRL for root
 5) Create CRL for intermediate
 6) Concatenate intermediate cert and root cert into one file (e.g. bundle.pem), intermediate first
 7) Concatenate intermediate CRL and root CRL into one file (e.g. crls.pem), intermediate first

 To import:
 puppetserver ca import --cert-bundle bundle.pem --crl-chain crls.pem --private-key intermediate-key.pem

 This will install these files in the correct locations for Puppet Server and generate any additional files (e.g. inventory.txt, master's host cert)

 Ruby code that we use in Puppet's specs to create the artifacts for a setup like this: https://github.com/puppetlabs/puppet/blob/master/spec/lib/puppet_spec/ssl.rb

 In the real world, the root cert would belong to the customer, e.g. their corporate root.
	1) Create self-signed root CA cert
	2) Create CSR for intermediate CA cert
	3) Sign with root
	4) Create CRL for root
	5) Create CRL for intermediate
	6) Concatenate intermediate cert and root cert into one file (e.g. bundle.pem), intermediate first
	7) Concatenate intermediate CRL and root CRL into one file (e.g. crls.pem), intermediate first

	To import:
	puppetserver ca import --cert-bundle bundle.pem --crl-chain crls.pem --private-key intermediate-key.pem

	This will install these files in the correct locations for Puppet Server and generate any additional files (e.g. inventory.txt, master's host cert)

	Ruby code that we use in Puppet's specs to create the artifacts for a setup like this: https://github.com/puppetlabs/puppet/blob/master/spec/lib/puppet_spec/ssl.rb

	In the real world, the root cert would belong to the customer, e.g. their corporate root.