Home >Documents >Puppet Camp D¼sseldorf 2014: Puppet CA Certificates Explained

Puppet Camp D¼sseldorf 2014: Puppet CA Certificates Explained

Date post:25-Dec-2014
Category:
View:336 times
Download:0 times
Share this document with a friend
Description:
Puppet Camp Düsseldorf 2014: Puppet CA Certificates Explained by Thomas Gelf, Netways
Transcript:
  • 1. Puppet CA: Certificates explained Thomas Gelf - PuppetCamp Dsseldorf 2014
  • 2. Thomas Gelf, nice to meet you! joined NETWAYS in 2010 formerly more than ten years of... web (application) development routing/switching: bank/ISP backbones ISP: Mail, Hosting, SIP-Carrier, IPv6...
  • 3. Origins nationality: Italian mother tongue: German kind of. SOUTH TYROLEAN!!!
  • 4. Me and Puppet first Puppet steps with 0.24 talks, articles, blog posts trainer, consultant over-certified
  • 5. Me @ PuppetConf 2014 Had a great time, the conference was awesome! PuppetConf 2015 will be in Portland - see you there :)
  • 6. NETWAYS
  • 7. Netways and Puppet German Puppet Labs Training Partner Trainings Consulting Workshops
  • 8. Puppet Trainings http://www.netways.de/training
  • 9. What this talk is all about certificates puppet certificates REST API distributed environments security issues and their consequences certificate lifecyle
  • 10. WHY SHOULD I CARE?
  • 11. Running Puppet Enterprise?
  • 12. CERTIFICATES
  • 13. Public Key Infrastructure - PKI everybody has it's own private key signs or encrypts a message verification/decryption uses public key algorithms: RSA, DSA...
  • 14. PKI - Wikipedia
  • 15. X.509 describes how our Puppet PKI works https:// - you use it every day ITU-T standard defines a strict hierarchy a tree instead of a "web of trust" X509v3: allows extensions
  • 16. Certificate structure (distinguished) name serial number algorythm issuer validity: FROM - TO ...
  • 17. The distinguished name: DN just a string often a DNS name could also be "CA: puppet master" something you should care about!
  • 18. The revocation list allows to invalidate certificates does so based on serial numbers important if you "loose" certificates
  • 19. Filename extensions .csr: certificate signing request, Base64 -----BEGIN CERTIFICATE REQUEST----- ... -----END CERTIFICATE REQUEST----- .pem: a certificate, Base64 -----BEGIN CERTIFICATE----- Puppet uses .pem also for private keys: -----BEGIN RSA PRIVATE KEY-----
  • 20. PUPPET CERTIFICATES
  • 21. Puppet certificates: archeology Want to see a fresh new Puppet CA? Try it out! mkdir /tmp/ssltest puppet master --no-daemonize --verbose --ssldir /tmp/ssltest --certname test.example.com
  • 22. Puppet certificates: archeology A fresh new Puppet CA!
  • 23. Puppet certificates: archeology ls -l /tmp/ssltest
  • 24. Same thing for the agent puppet agent --test --ssldir /tmp/sslagent --certname test.example.com
  • 25. We all know the basics puppet cert list puppet cert list --all puppet cert sign test.example.com puppet cert revoke test.example.com puppet cert clean test.example.com find ./ -name 'test.example.com*' --delete
  • 26. SSL directories puppet master --configprint ssldir puppet agent --configprint ssldir manual configuration makes sense think about user permissions ~/.puppet, /var/lib/puppet master and agent on the same host passenger VS debug (--no-daemonize)
  • 27. Let's dump a certificate openssl x509 -in testexample.com.pem -noout -text puppet cert print test.example.com
  • 28. Custom data in your certificates https://docs.puppetlabs.com/puppet/latest/reference /ssl_attributes_extensions.html /etc/puppet/csr_attributes.yaml custom attributes in your CSR
  • 29. MCollective
  • 30. Study security guidelines! Study security guidelines! Study security guidelines! STUDY SECURITY GUIDELINES! puppetlabs.com/mcollective/security-overview
  • 31. Get inspired by existing modules make sure you understood them or write your own ones re-use Puppet certificates read about trust and STUDY THE SECURITY GUIDELINES!
  • 32. THE REST API
  • 33. It's a web application! SSLEngine on SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+... SSLHonorCipherOrder on SSLCertificateFile $ssldir/certs/$fqdn.pem SSLCertificateKeyFile $ssldir/private_keys/$fqdn.pem SSLCertificateChainFile $ssldir/ca/ca_crt.pem SSLCACertificateFile $ssldir/ca/ca_crt.pem SSLCARevocationFile $ssldir/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData
  • 34. The Rest API # http://docs.puppetlabs.com/guides/rest_api.html https://master:8140/{environment}/{resource}/{key} available on puppet master and on VERY ancient agents (listen=true)
  • 35. Puppet REST API URI examples GET /{environment}/catalog/{node certificate name} GET /{environment}/file_bucket_file/md5/{checksum} GET /{environment}/facts/{node certname}
  • 36. Permissions http://docs.puppetlabs.com/guides/rest_auth_conf.html # auth.conf # allow all nodes to store their own reports path ~ ^/report/([^/]+)$ method save allow $1

Click here to load reader

Embed Size (px)
Recommended