Skip to main content

Use the API to sign certificate signing requests from non-certificate authority nodes for Puppet Enterprise

Erik Hansen
  • Updated

Use the API to sign certificate signing requests (CSRs) from nodes that aren’t the Puppet Enterprise certificate authority (CA).

Version and installation information

PE version: All supported versions

Solution

Note: If you’re not using the default Hiera configuration with common.yaml for common or default values, you need to modify these instructions.

Add nodes to the CA allowlist using Hiera and use the /puppet-ca/v1/certificate_status endpoint to sign and revoke CSRs.

  1. Edit common.yaml to add hostnames to the CA allowlist using Hiera.

    Note: The primary server certname is included in the CA allowlist by default. You do not need to add it. You can’t allowlist an IP address.

    puppet\_enterprise::profile::certificate\_authority::client\_whitelist: - agent2.example.com

  2. Update Hiera configuration. On the primary server, run puppet agent -t

  3. On any node that you’ve added to the CA allowlist, use the /puppet-ca/v1/certificate_status endpoint to sign or revoke certificates.

    Note: You cannot make multiple certificate requests in one API request. Sign or revoke one cert name in each request.

    To sign a certificate:

    curl -X PUT -H "Content-Type: application/json"\
--cert $(puppet config print hostcert)\
--key $(puppet config print hostprivkey)\
--cacert $(puppet config print localcacert)\
https://<PRIMARY_SERVER\_FQDN>:8140/puppet-ca/v1/certificate\_status/<CERTNAME>?environment=<ENVIRONMENT\_NAME>\
-d '{"desired\_state":"signed"}`

    To revoke a certificate:

    curl -X PUT -H "Content-Type: application/json"\
--cert $(puppet config print hostcert)\
--key $(puppet config print hostprivkey)\
--cacert $(puppet config print localcacert)\
https://<PRIMARY_SERVER\_FQDN>:8140/puppet-ca/v1/certificate\_status/<CERTNAME>?environment=<ENVIRONMENT\_NAME>\
-d '{"desired\_state":"revoked"}'

    To delete a certificate:

    curl -X DELETE -H "Content-Type: application/json"\
--cert $(puppet config print hostcert)\
--key $(puppet config print hostprivkey)\
--cacert $(puppet config print localcacert)\ https://<PRIMARY_SERVER\_FQDN>:8140/puppet-ca/v1/certificate\_status
/<AGENT CERTNAME>?environment=production`

Learn more about the certificate status endpoint.

Did this solve your problem?
1 out of 4 found this helpful

How can we improve this article?

2 comments

Date Votes
  • Kenyon Ralph

    whitelist is deprecated, should be allowlist now

    0
  • Suzie Baunsgard

    This one is older, so even though the terminology is outdated, it matches the versions on this. However, I'm going to send an email along, because I feel like there's some other possibilities here.  

    0

Please sign in to leave a comment.

Related articles