The client is joined to the IPA domain and gets a certificate from the sub-ca `puppet` with `ipa-getcert request -x puppet`. In order to have the puppet agent to be able to talk to puppet server I need the puppet sub-ca certificate.
How can I distribute the sub-ca certificate to the client? Running `ipa-certupdate` did not work.
Thanks
Jakob Ackermann via FreeIPA-users wrote:
The client is joined to the IPA domain and gets a certificate from the sub-ca `puppet` with `ipa-getcert request -x puppet`. In order to have the puppet agent to be able to talk to puppet server I need the puppet sub-ca certificate.
How can I distribute the sub-ca certificate to the client? Running `ipa-certupdate` did not work.
Create a file containing the pem for the sub CA:
$ ipa ca-show test --certificate-out=/tmp/test.pem
Add that to the list of managed CA certs
# ipa-cacert-manage install /tmp/test.pem
Now ipa-certupdate will pull it.
rob
On Tue, Feb 04, 2020 at 01:51:43PM -0500, Rob Crittenden via FreeIPA-users wrote:
Jakob Ackermann via FreeIPA-users wrote:
The client is joined to the IPA domain and gets a certificate from the sub-ca `puppet` with `ipa-getcert request -x puppet`. In order to have the puppet agent to be able to talk to puppet server I need the puppet sub-ca certificate.
How can I distribute the sub-ca certificate to the client? Running `ipa-certupdate` did not work.
Create a file containing the pem for the sub CA:
$ ipa ca-show test --certificate-out=/tmp/test.pem
Add that to the list of managed CA certs
# ipa-cacert-manage install /tmp/test.pem
Now ipa-certupdate will pull it.
Alternatively, instead of adding the sub-CA cert to the trust store directly, if the puppet agent trusts the main IPA CA then you can add the puppet sub-CA certificate (Rob showed how to export that) to the certificate chain presented by the Puppet server.
Cheers, Fraser
this is exactly what I tried before and the puppet agent complaint that it could not find the CA his certificate was signed with. This is a limitation in puppet.
Rob's answer worked for me around the puppet limitation. Any reason why I would not want add the sub-ca certificate into the manage certs?
Thanks so much.
On Wed, Feb 05, 2020 at 06:19:16PM -0000, Jakob Ackermann via FreeIPA-users wrote:
this is exactly what I tried before and the puppet agent complaint that it could not find the CA his certificate was signed with. This is a limitation in puppet.
OK, thanks for clarifying.
Rob's answer worked for me around the puppet limitation. Any reason why I would not want add the sub-ca certificate into the manage certs?
If the sub-CA cert gets renewed it will not automatically be updated in the trust store. If you revoke the sub-CA cert but clients explicitly trust it, the clients may not check revocation status of the sub-CA.
Other than those points, there is no harm in doing it since the trust is transitive anyway.
Cheers, Fraser
Thanks so much.
freeipa-users@lists.fedorahosted.org
-
Fraser Tweedale -
Jakob Ackermann -
Jakob Ackermann -
Rob Crittenden