Using autosign
In cryptography, as in life, you have to be careful what you sign. Normally, when you introduce a new client to the Puppetmaster, you need to generate a certificate request on the client, and then sign it on the master. However, you can skip this step by enabling autosigning.
How to do it...
Create the file /etc/puppet/autosign.conf on the Puppetmaster with the following contents: *.example.com
How it works...
Puppet checks any incoming certificate requests to see if they match a line from autosign.conf. Any certificate requests from clients with a hostname matching *.example.com will be automatically signed by the Puppetmaster.
Tip
Important: This is a potential security problem, since it amounts to trusting any client that can connect to the Puppetmaster. For this reason, autosigning is not recommended. If you do use it, make sure that the Puppetmaster is protected by a firewall that allows only approved clients or IP ranges to connect. A more secure approach is pre-signing.
See also
- Pre-signing certificates in this chapter