On Mar 15, 2010, at 8:26 AM, Ohad Levy wrote: > ssl has nothing to do with mongrel or passenger, as ssl is handled in apache > (or ngnix). > > as far as it goes for SSL, you have two options: > 1. a single CA > 2. CA chain hierarchy. > > the first option is simple, one of your puppetmasters will be your CA, and > every sign will run on it, you would require it for any new certs that are > introduced to your setup. > > the second option works as well, and is described at > http://projects.reductivelabs.com/projects/puppet/wiki/Puppet_Scalability > under Centralised_Puppet_Infrastructure
What about creating one certificate authority using puppet and then manually copying to all the servers as a temporary solution? The two problems I see are: 1) The CRL doesn't work due to duplicate serial numbers. 2) Not having the server's real name in the root might be a problem if all your clients don't use just puppet for the hostname. Is this actually likely to work? > if you can afford using a single machine for signing your certs, I would > recommend you going to option 1 (as someone using option 2 for a few years > now). > > Cheers, > Ohad -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
