You might want more details about the Puppet Enterprise certificate authority (CA) private key when your organization is doing security audits or when your security team has questions.
Version and installation information
PE version: All supported
Solution
Puppet stores its certificate infrastructure in the SSL directory (ssldir) which has a similar structure on all Puppet nodes, including agent and infrastructure nodes. The CA private key is located on the CA server, usually the primary server at: cadir/ca_key.pem, where the default cadir is /etc/puppetlabs/puppetserver/ca .
The CA private key is generated using the system cryptographically secure pseudorandom number generator (CSPRNG). The key must be a .pem file readable by the pe-puppet service account. The PEM content of the file must start with either BEGIN RSA PRIVATE KEY or BEGIN PRIVATE KEY, ENCRYPTED is not allowed. The key must be RSA.
The entire CA chain must use SHA-2 or stronger as a signing algorithm. SHA-1 or MD5 are no longer sufficient and are rejected by modern OpenSSL versions with a too weak error.
The CA private key is one of the most security-critical files in the Puppet certificate infrastructure. Permissions on the file should be set to mode 0640 (-rw-r-----) with pe-puppet as both the file owner and group (pe-puppet:pe-puppet).
How can we improve this article?
0 comments
Please sign in to leave a comment.
Related articles