On Thursday, March 6, 2014 3:15:39 PM UTC+1, jcbollinger wrote: > > > Do you see the "ca" in most of those? That stands for "certificate > authority". The one file that doesn't have it, ssl/crl.pem, is a > certificate revocation list, which is also associated with the CA. The > Puppet master provides a (as in one) certificate authority for the > infrastructure it manages. It will create the needed keys and certificate > only if they do not already exist. > > IMPORTANT: you must not disturb the master's CA. Doing so will make the > certificates it has already signed unusable, rendering those agents using > them both unwilling AND unable to request catalogs from that master. >
Hi John, thanks for the concern and for the insights you are providing. Yes, now I realize it's not creating the $host cert as I initially said but only the certificate authority files. I think I could just create these files just once and place them in the Docker image to avoid puppet recreating them at any run, maybe it will not give us any visible gain in performance but it's trivial to do so why not. Also, these "puppet master --compile" processes are not run in the actual puppet master machine(s) but on dedicated testing environments (Jenkins + Docker images) so no harm done to the actual CA :) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/2f7273d0-ed30-48f6-bac3-72fc6b4b7049%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
