Common questions and answers we get from customers about the self-signed certificate authority in Puppet Enterprise.
Version and installation information
PE version: All supported
Will you get a certificate warning pop-up in your browser?
To avoid getting a warning pop-up, use a different certificate than the one provisioned by the Puppet CA certificate in PE. To use a custom SSL certificate for the console, read our documentation.
Is a Puppet agent vulnerable to a machine-in-the-middle (MitM) attack for using a self-signed certificate or connecting to a service running a self-signed certificate in PE?
A Puppet agent is not vulnerable to a MitM attack. By default, Puppet agents download the Puppet CA certificate at installation time. Then, the certificate gets added to a Puppet agent trust store. This is a Time of First Use (ToFU) installation and trust of the certificate in PE. To disable ToFU and install the *nix agents using a manually transferred certificate, read our documentation.
Can you use a CA certificate that isn’t self-signed in PE?
We recommend you don’t use an independent intermediate certificate authority with PE. This is because puppet can’t provide support for all the possible issues that could happen from this configuration. To learn what’s supported, read Use an independent intermediate certificate authority in our documentation.
Is a Puppet agent certificate signed by the root CA certificate in PE?
The built-in Puppet certificate authority automatically generates a root and issues an intermediate CA certificate in PE.
Where does the key for a Puppet CA certificate get stored, and who can access it in PE?
Puppet stores its certificate infrastructure in the SSL directory (
ssldir), which has a similar structure on all Puppet nodes. To learn more about the location, contents, and the
ssldir directory structure, read our documentation.