Garrett Guillotte gguillotte

Intermediate CA Signing with Puppet

Problem statement

Many sites have a requirement to use an enterprise-wide certificate authority. They either have a "real" signing cert that chains to a public root CA or an internal root (usually air-gapped) which only signs issuing CA certificates, one per PKI application.

Puppet does not have a currently supported configuration which fits into this model. The [existing documentation][existing] describes using an "external CA" instead of Puppet's internally generated CA (which is a combined self-signed Root and issuing CA in one), but requires that the user turn off Puppet's issuance code and leaves the whole certificate generation and distribution workflow as an "exercise to the reader".

The procedure in this document describes a supportable configuration which bridges the gap between these two positions: it is possible to use Puppet's internal signing code to issue certificates from an intermediate CA cert which was externally generated and signed. There are a

	#!/bin/bash

	# Exit upon error.
	set -e

	# Exit with debugging if there is an error.

	function trap_exit() {
	[ "$1" -ne "0" ] && echo Error: Command [$2] failed with error code [$1] ... exiting.
	}

	#!/usr/bin/perl -w
	use strict;

	# make_gores.pl
	#
	# Given a raw PPM image which is the cylindrical projection map of a
	# sphere (a planet, etc), creates an interrupted sinusoidal gore map,
	# suitable for printing, cutting out, and bending into a paper globe.
	#
	# Mitchell Charity <[email protected]>