masterzen · November 15, 2010 07:12
diff --git a/connect.sh b/connect.sh
 # this simulates how a puppet agent will connect
 openssl s_client -host puppet -port 8140 -cert /path/to/ssl/certs/node.domain.com.pem -key /path/to/ssl/private_keys/node.domain.com.pem -CAfile /path/to/ssl/certs/ca.pem

 # outputs:

 CONNECTED(00000004)
 depth=1 /CN=Puppet CA: master.domain.com
 verify return:1
 depth=0 /CN=macbook.local
 verify return:1
 ---
 Certificate chain
 0 s:/CN=macbook.local
   i:/CN=Puppet CA: master.domain.com
 1 s:/CN=Puppet CA: master.domain.com
   i:/CN=Puppet CA: master.domain.com
 ---
 Server certificate
 -----BEGIN CERTIFICATE-----
 MIICgjCCAeugAwIBAgIBAjANBgkqhkiG9w0BAQUFADAjMSEwHwYDVQQDDBhQdXBw
 ZXQgQ0E6IG1hY2Jvb2subG9jYWwwHhcNMTAxMTEzMTQyOTIzWhcNMTUxMTEyMTQy
 OTIzWjAYMRYwFAYDVQQDDA1tYWNib29rLmxvY2FsMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQC+EX0OMk3E2kB9ehcwLADExajHkTEhcVDvB3d5GgfWV9RN4AGz
 eHPshN1xMGLN5Sb9VEba4zu+OwWah0SaXrRBtxXeIB2dJlBEvOZkZ9GT7j8gpoYO
 EVzesdrl+7Xx4ekuFDlH8rikQISJGIZa3ztopGR/qZmTYCno/tWj4G66SwIDAQAB
 o4HQMIHNMDgGCWCGSAGG+EIBDQQrFilQdXBwZXQgUnVieS9PcGVuU1NMIEdlbmVy
 YXRlZCBDZXJ0aWZpY2F0ZTAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBT0+loD79UM
 w7agNUfRSZh01Am0qTALBgNVHQ8EBAMCBaAwJwYDVR0lBCAwHgYIKwYBBQUHAwEG
 CCsGAQUFBwMCBggrBgEFBQcDBDAuBgNVHREEJzAlggZwdXBwZXSCDW1hY2Jvb2su
 bG9jYWyCDHB1cHBldC5sb2NhbDANBgkqhkiG9w0BAQUFAAOBgQBw43wExOFmB9tc
 WNlkuwrnVUyTnWEKKqY/3qqYqeVARUCHYnjTr6cBp7nK7rJE/wK+i1SqZUULlCpW
 +h1n/s1SCSmJvC9PazDL3moBNUN0HtYULvBDrDjpfOws5rhQjBUHL3I1gn+tnDpP
 p1zW6If5GSAfjy4uKEyf6tcmXsUYVw==
 -----END CERTIFICATE-----
 subject=/CN=puppet.domain.com
 issuer=/CN=Puppet CA: master.domain.com
 ---
 No client certificate CA names sent
 ---
 SSL handshake has read 1794 bytes and written 1656 bytes
 ---
 New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
 Server public key is 1024 bit
 Compression: NONE
 Expansion: NONE
 SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: DB29414CCB1E094675238999C8C00AF3173F441030C44A67D773648E83D76F75
    Session-ID-ctx: 
    Master-Key: 92430ADC9E52BA22023D5E37DED7D9A274B9E5E461CB46C47F1E9B14BE1956B7615FADC2319D9DA091784EC91ED777B3
    Key-Arg   : None
    Start Time: 1289747911
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
 ---
diff --git a/crl.sh b/crl.sh
 # it is possible to get the content of the CRL:
 openssl crl -text -in /var/lib/puppet/ssl/ca/ca_crl.pem 

 Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /CN=Puppet CA: master.domain.com
        Last Update: Nov 14 15:47:42 2010 GMT
        Next Update: Nov 13 15:47:42 2015 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
 Revoked Certificates:
    Serial Number: 03
        Revocation Date: Nov 14 15:47:42 2010 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code: 
                Key Compromise
    Signature Algorithm: sha1WithRSAEncryption
        a2:cb:cf:d6:95:34:5d:7e:aa:95:cf:cd:7f:ea:1a:da:b0:f4:
        15:1f:df:03:28:64:b7:e0:a9:2d:53:df:b7:25:05:64:3e:15:
        08:2a:02:6d:42:7f:ad:37:f1:8f:72:66:f5:ed:f0:0b:59:d2:
        9f:16:77:18:eb:dc:dd:2e:f0:c4:ea:80:51:cf:35:43:ed:cd:
        7d:64:c0:43:dc:85:13:0f:5f:e2:88:78:a9:fc:bf:c3:a5:c6:
        e2:0e:8e:9d:95:1e:19:63:03:bb:26:89:9c:52:78:d6:a0:79:
        82:1d:2c:44:15:7d:75:42:52:4e:6a:a8:e5:d7:40:c5:b8:4a:
        24:d2
diff --git a/fingerprint.sh b/fingerprint.sh
 # on the node
 puppet agent --test --fingerprint               
 notice: 14:45:FD:59:F2:CC:83:62:4C:4A:D2:2A:37:4F:12:96

 # on the master
 puppetca --list node.domain.com --fingerprint
 node.domain.com 14:45:FD:59:F2:CC:83:62:4C:4A:D2:2A:37:4F:12:96
diff --git a/generate.sh b/generate.sh
 # Generate a certificate and private key to be used for a node
 puppetca --generate node.domain.com

 notice: node.domain.com has a waiting certificate requestnotice: Signed certificate request for node.domain.com
 notice: Removing file Puppet::SSL::CertificateRequest node.domain.com at '/tmp/master/ssl/ca/requests/node.domain.com.pem'
 notice: Removing file Puppet::SSL::CertificateRequest node.domain.com at '/tmp/master/ssl/certificate_requests/node.domain.com.pem'
diff --git a/puppet-ssl.sh b/puppet-ssl.sh
 openssl x509 -text -in /var/lib/puppet/ssl/certs/puppet.pem

 Certificate:    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Puppet CA: master.domain.com
        Validity
            Not Before: Nov 13 14:29:23 2010 GMT
            Not After : Nov 12 14:29:23 2015 GMT
        Subject: CN=server.domain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:be:11:7d:0e:32:4d:c4:da:40:7d:7a:17:30:2c:
                    00:c4:c5:a8:c7:91:31:21:71:50:ef:07:77:79:1a:
                    07:d6:57:d4:4d:e0:01:b3:78:73:ec:84:dd:71:30:
                    62:cd:e5:26:fd:54:46:da:e3:3b:be:3b:05:9a:87:
                    44:9a:5e:b4:41:b7:15:de:20:1d:9d:26:50:44:bc:
                    e6:64:67:d1:93:ee:3f:20:a6:86:0e:11:5c:de:b1:
                    da:e5:fb:b5:f1:e1:e9:2e:14:39:47:f2:b8:a4:40:
                    84:89:18:86:5a:df:3b:68:a4:64:7f:a9:99:93:60:
                    29:e8:fe:d5:a3:e0:6e:ba:4b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Comment: 
                Puppet Ruby/OpenSSL Generated Certificate
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                F4:FA:5A:03:EF:D5:0C:C3:B6:A0:35:47:D1:49:98:74:D4:09:B4:A9
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection
            X509v3 Subject Alternative Name: 
                DNS:puppet, DNS:puppet.domain.com
    Signature Algorithm: sha1WithRSAEncryption
        70:e3:7c:04:c4:e1:66:07:db:5c:58:d9:64:bb:0a:e7:55:4c:
        93:9d:61:0a:2a:a6:3f:de:aa:98:a9:e5:40:45:40:87:62:78:
        d3:af:a7:01:a7:b9:ca:ee:b2:44:ff:02:be:8b:54:aa:65:45:
        0b:94:2a:56:fa:1d:67:fe:cd:52:09:29:89:bc:2f:4f:6b:30:
        cb:de:6a:01:35:43:74:1e:d6:14:2e:f0:43:ac:38:e9:7c:ec:
        2c:e6:b8:50:8c:15:07:2f:72:35:82:7f:ad:9c:3a:4f:a7:5c:
        d6:e8:87:f9:19:20:1f:8f:2e:2e:28:4c:9f:ea:d7:26:5e:c5:
        18:57
diff --git a/relaxed-auth.conf b/relaxed-auth.conf
 ...
 path ~ ^/catalog/([^/]+)$
 method find
 allow $1
 allow node.domain.com
 ...
	# this simulates how a puppet agent will connect
	openssl s_client -host puppet -port 8140 -cert /path/to/ssl/certs/node.domain.com.pem -key /path/to/ssl/private_keys/node.domain.com.pem -CAfile /path/to/ssl/certs/ca.pem

	# outputs:

	CONNECTED(00000004)
	depth=1 /CN=Puppet CA: master.domain.com
	verify return:1
	depth=0 /CN=macbook.local
	verify return:1
	---
	Certificate chain
	0 s:/CN=macbook.local
	i:/CN=Puppet CA: master.domain.com
	1 s:/CN=Puppet CA: master.domain.com
	i:/CN=Puppet CA: master.domain.com
	---
	Server certificate
	-----BEGIN CERTIFICATE-----
	MIICgjCCAeugAwIBAgIBAjANBgkqhkiG9w0BAQUFADAjMSEwHwYDVQQDDBhQdXBw
	ZXQgQ0E6IG1hY2Jvb2subG9jYWwwHhcNMTAxMTEzMTQyOTIzWhcNMTUxMTEyMTQy
	OTIzWjAYMRYwFAYDVQQDDA1tYWNib29rLmxvY2FsMIGfMA0GCSqGSIb3DQEBAQUA
	A4GNADCBiQKBgQC+EX0OMk3E2kB9ehcwLADExajHkTEhcVDvB3d5GgfWV9RN4AGz
	eHPshN1xMGLN5Sb9VEba4zu+OwWah0SaXrRBtxXeIB2dJlBEvOZkZ9GT7j8gpoYO
	EVzesdrl+7Xx4ekuFDlH8rikQISJGIZa3ztopGR/qZmTYCno/tWj4G66SwIDAQAB
	o4HQMIHNMDgGCWCGSAGG+EIBDQQrFilQdXBwZXQgUnVieS9PcGVuU1NMIEdlbmVy
	YXRlZCBDZXJ0aWZpY2F0ZTAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBT0+loD79UM
	w7agNUfRSZh01Am0qTALBgNVHQ8EBAMCBaAwJwYDVR0lBCAwHgYIKwYBBQUHAwEG
	CCsGAQUFBwMCBggrBgEFBQcDBDAuBgNVHREEJzAlggZwdXBwZXSCDW1hY2Jvb2su
	bG9jYWyCDHB1cHBldC5sb2NhbDANBgkqhkiG9w0BAQUFAAOBgQBw43wExOFmB9tc
	WNlkuwrnVUyTnWEKKqY/3qqYqeVARUCHYnjTr6cBp7nK7rJE/wK+i1SqZUULlCpW
	+h1n/s1SCSmJvC9PazDL3moBNUN0HtYULvBDrDjpfOws5rhQjBUHL3I1gn+tnDpP
	p1zW6If5GSAfjy4uKEyf6tcmXsUYVw==
	-----END CERTIFICATE-----
	subject=/CN=puppet.domain.com
	issuer=/CN=Puppet CA: master.domain.com
	---
	No client certificate CA names sent
	---
	SSL handshake has read 1794 bytes and written 1656 bytes
	---
	New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
	Server public key is 1024 bit
	Compression: NONE
	Expansion: NONE
	SSL-Session:
	Protocol : TLSv1
	Cipher : DHE-RSA-AES256-SHA
	Session-ID: DB29414CCB1E094675238999C8C00AF3173F441030C44A67D773648E83D76F75
	Session-ID-ctx:
	Master-Key: 92430ADC9E52BA22023D5E37DED7D9A274B9E5E461CB46C47F1E9B14BE1956B7615FADC2319D9DA091784EC91ED777B3
	Key-Arg : None
	Start Time: 1289747911
	Timeout : 300 (sec)
	Verify return code: 0 (ok)
	---
	# it is possible to get the content of the CRL:
	openssl crl -text -in /var/lib/puppet/ssl/ca/ca_crl.pem

	Certificate Revocation List (CRL):
	Version 2 (0x1)
	Signature Algorithm: sha1WithRSAEncryption
	Issuer: /CN=Puppet CA: master.domain.com
	Last Update: Nov 14 15:47:42 2010 GMT
	Next Update: Nov 13 15:47:42 2015 GMT
	CRL extensions:
	X509v3 CRL Number:
	1
	Revoked Certificates:
	Serial Number: 03
	Revocation Date: Nov 14 15:47:42 2010 GMT
	CRL entry extensions:
	X509v3 CRL Reason Code:
	Key Compromise
	Signature Algorithm: sha1WithRSAEncryption
	a2:cb:cf:d6:95:34:5d:7e:aa:95:cf:cd:7f:ea:1a:da:b0:f4:
	15:1f:df:03:28:64:b7:e0:a9:2d:53:df:b7:25:05:64:3e:15:
	08:2a:02:6d:42:7f:ad:37:f1:8f:72:66:f5:ed:f0:0b:59:d2:
	9f:16:77:18:eb:dc:dd:2e:f0:c4:ea:80:51:cf:35:43:ed:cd:
	7d:64:c0:43:dc:85:13:0f:5f:e2:88:78:a9:fc:bf:c3:a5:c6:
	e2:0e:8e:9d:95:1e:19:63:03:bb:26:89:9c:52:78:d6:a0:79:
	82:1d:2c:44:15:7d:75:42:52:4e:6a:a8:e5:d7:40:c5:b8:4a:
	24:d2
	# on the node
	puppet agent --test --fingerprint
	notice: 14:45:FD:59:F2:CC:83:62:4C:4A:D2:2A:37:4F:12:96

	# on the master
	puppetca --list node.domain.com --fingerprint
	node.domain.com 14:45:FD:59:F2:CC:83:62:4C:4A:D2:2A:37:4F:12:96
	# Generate a certificate and private key to be used for a node
	puppetca --generate node.domain.com

	notice: node.domain.com has a waiting certificate requestnotice: Signed certificate request for node.domain.com
	notice: Removing file Puppet::SSL::CertificateRequest node.domain.com at '/tmp/master/ssl/ca/requests/node.domain.com.pem'
	notice: Removing file Puppet::SSL::CertificateRequest node.domain.com at '/tmp/master/ssl/certificate_requests/node.domain.com.pem'
	openssl x509 -text -in /var/lib/puppet/ssl/certs/puppet.pem

	Certificate: Data:
	Version: 3 (0x2)
	Serial Number: 2 (0x2)
	Signature Algorithm: sha1WithRSAEncryption
	Issuer: CN=Puppet CA: master.domain.com
	Validity
	Not Before: Nov 13 14:29:23 2010 GMT
	Not After : Nov 12 14:29:23 2015 GMT
	Subject: CN=server.domain.com
	Subject Public Key Info:
	Public Key Algorithm: rsaEncryption
	RSA Public Key: (1024 bit)
	Modulus (1024 bit):
	00:be:11:7d:0e:32:4d:c4:da:40:7d:7a:17:30:2c:
	00:c4:c5:a8:c7:91:31:21:71:50:ef:07:77:79:1a:
	07:d6:57:d4:4d:e0:01:b3:78:73:ec:84:dd:71:30:
	62:cd:e5:26:fd:54:46:da:e3:3b:be:3b:05:9a:87:
	44:9a:5e:b4:41:b7:15:de:20:1d:9d:26:50:44:bc:
	e6:64:67:d1:93:ee:3f:20:a6:86:0e:11:5c:de:b1:
	da:e5:fb:b5:f1:e1:e9:2e:14:39:47:f2:b8:a4:40:
	84:89:18:86:5a:df:3b:68:a4:64:7f:a9:99:93:60:
	29:e8:fe:d5:a3:e0:6e:ba:4b
	Exponent: 65537 (0x10001)
	X509v3 extensions:
	Netscape Comment:
	Puppet Ruby/OpenSSL Generated Certificate
	X509v3 Basic Constraints: critical
	CA:FALSE
	X509v3 Subject Key Identifier:
	F4:FA:5A:03:EF:D5:0C:C3:B6:A0:35:47:D1:49:98:74:D4:09:B4:A9
	X509v3 Key Usage:
	Digital Signature, Key Encipherment
	X509v3 Extended Key Usage:
	TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection
	X509v3 Subject Alternative Name:
	DNS:puppet, DNS:puppet.domain.com
	Signature Algorithm: sha1WithRSAEncryption
	70:e3:7c:04:c4:e1:66:07:db:5c:58:d9:64:bb:0a:e7:55:4c:
	93:9d:61:0a:2a:a6:3f:de:aa:98:a9:e5:40:45:40:87:62:78:
	d3:af:a7:01:a7:b9:ca:ee:b2:44:ff:02:be:8b:54:aa:65:45:
	0b:94:2a:56:fa:1d:67:fe:cd:52:09:29:89:bc:2f:4f:6b:30:
	cb:de:6a:01:35:43:74:1e:d6:14:2e:f0:43:ac:38:e9:7c:ec:
	2c:e6:b8:50:8c:15:07:2f:72:35:82:7f:ad:9c:3a:4f:a7:5c:
	d6:e8:87:f9:19:20:1f:8f:2e:2e:28:4c:9f:ea:d7:26:5e:c5:
	18:57
	...
	path ~ ^/catalog/([^/]+)$
	method find
	allow $1
	allow node.domain.com
	...