> But I have need for a CA for other purposes anyway, so I've been, for the > last year (on and off), looking into Hashicorps Vault. >
Are you hard-set on using Vault? I use FreeIPA <https://www.freeipa.org/page/Main_Page>, which includes PKI management (via Dogtag <http://pki.fedoraproject.org/wiki/PKI_Main_Page>), and can be used as the CA for puppet and also issue the per-node certs. Technically, Foreman <https://theforeman.org/introduction.html> is doing the work for me -- I use it to manage RHEL/CentOS node provisioning, and the FreeIPA realm enrollment and node certificate creation/deployment happen automagically, along with a puppet agent run to configure the node, at provision time. For network devices or other operating systems I'm not yet managing w/ Foreman, I manually create the host record in FreeIPA and then manually create/fetch the cert/key pair. This stack of tools is not lightweight, and takes some time to get functional, but it's worth the effort. I've used this stack for a few years now, with h/a pairs of both Freeipa and Puppet servers spread across multiple datacenters, and have not had any major issues. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/EB1DEBCE-FB4A-4BA7-ADA5-B3817B4C284B%40distortion.io. For more options, visit https://groups.google.com/d/optout.
