![Page 1: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/1.jpg)
Puppet CA: Certificates explainedThomas Gelf - PuppetCamp Düsseldorf 2014
![Page 2: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/2.jpg)
Thomas Gelf, nice to meet you!
joined NETWAYS in 2010
formerly more than ten years of...
web (application) development
routing/switching: bank/ISP backbones
ISP: Mail, Hosting, SIP-Carrier, IPv6...
![Page 3: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/3.jpg)
Origins
nationality: Italian
mother tongue: German
kind of.
SOUTH TYROLEAN!!!
![Page 4: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/4.jpg)
Me and Puppet
first Puppet steps with 0.24
talks, articles, blog posts
trainer, consultant
over-certified
![Page 5: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/5.jpg)
Me @ PuppetConf 2014
Had a great time, the conference was awesome!
PuppetConf 2015 will be in Portland - see you there :)
![Page 6: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/6.jpg)
NETWAYS
![Page 7: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/7.jpg)
Netways and Puppet
German Puppet Labs Training Partner
Trainings
Consulting
Workshops
![Page 8: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/8.jpg)
Puppet Trainings
http://www.netways.de/training
![Page 9: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/9.jpg)
What this talk is all about
certificates
puppet certificates
REST API
distributed environments
security issues and their consequences
certificate lifecyle
![Page 10: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/10.jpg)
WHY SHOULD I CARE?
![Page 11: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/11.jpg)
Running Puppet Enterprise?
![Page 12: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/12.jpg)
CERTIFICATES
![Page 13: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/13.jpg)
Public Key Infrastructure - PKI
everybody has it's own private key
signs or encrypts a message
verification/decryption uses public key
algorithms: RSA, DSA...
![Page 14: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/14.jpg)
PKI - Wikipedia
![Page 15: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/15.jpg)
X.509
describes how our Puppet PKI works
https:// - you use it every day
ITU-T standard
defines a strict hierarchy
a tree instead of a "web of trust"
X509v3: allows extensions
![Page 16: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/16.jpg)
Certificate structure
(distinguished) name
serial number
algorythm
issuer
validity: FROM - TO
...
![Page 17: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/17.jpg)
The distinguished name: DN
just a string
often a DNS name
could also be "CA: puppet master"
something you should care about!
![Page 18: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/18.jpg)
The revocation list
allows to invalidate certificates
does so based on serial numbers
important if you "loose" certificates
![Page 19: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/19.jpg)
Filename extensions
.csr: certificate signing request, Base64
-----BEGIN CERTIFICATE REQUEST-----...-----END CERTIFICATE REQUEST-----
.pem: a certificate, Base64
-----BEGIN CERTIFICATE-----
Puppet uses .pem also for private keys:
-----BEGIN RSA PRIVATE KEY-----
![Page 20: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/20.jpg)
PUPPET CERTIFICATES
![Page 21: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/21.jpg)
Puppet certificates: archeology
Want to see a fresh new Puppet CA? Try it out!
mkdir /tmp/ssltestpuppet master --no-daemonize --verbose \--ssldir /tmp/ssltest \--certname test.example.com
![Page 22: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/22.jpg)
Puppet certificates: archeology
A fresh new Puppet CA!
![Page 23: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/23.jpg)
Puppet certificates: archeology
ls -l /tmp/ssltest
![Page 24: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/24.jpg)
Same thing for the agent
puppet agent --test \--ssldir /tmp/sslagent \--certname test.example.com
![Page 25: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/25.jpg)
We all know the basics
puppet cert list
puppet cert list --all
puppet cert sign test.example.com
puppet cert revoke test.example.com
puppet cert clean test.example.com
find ./ -name 'test.example.com*' --delete
![Page 26: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/26.jpg)
SSL directories
puppet master --configprint ssldirpuppet agent --configprint ssldir
manual configuration makes sense
think about user permissions
~/.puppet, /var/lib/puppet
master and agent on the same host
passenger VS debug (--no-daemonize)
![Page 27: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/27.jpg)
Let's dump a certificate
openssl x509 -in testexample.com.pem -noout -text
puppet cert print test.example.com
![Page 28: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/28.jpg)
Custom data in your certificates
https://docs.puppetlabs.com/puppet/latest/reference /ssl_attributes_extensions.html
/etc/puppet/csr_attributes.yaml
custom attributes in your CSR
![Page 29: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/29.jpg)
MCollective
![Page 30: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/30.jpg)
Study security guidelines!
Study security guidelines!
Study security guidelines!
STUDY SECURITY GUIDELINES!
puppetlabs.com/mcollective/security-overview
![Page 31: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/31.jpg)
Get inspired by existing modules
make sure you understood them
or write your own ones
re-use Puppet certificates
read about trust
and STUDY THE SECURITY GUIDELINES!
![Page 32: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/32.jpg)
THE REST API
![Page 33: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/33.jpg)
It's a web application!
<VirtualHost *:8140>
SSLEngine onSSLProtocol ALL -SSLv2 -SSLv3SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+...SSLHonorCipherOrder on
SSLCertificateFile $ssldir/certs/$fqdn.pemSSLCertificateKeyFile $ssldir/private_keys/$fqdn.pemSSLCertificateChainFile $ssldir/ca/ca_crt.pemSSLCACertificateFile $ssldir/ca/ca_crt.pemSSLCARevocationFile $ssldir/ca/ca_crl.pemSSLVerifyClient optionalSSLVerifyDepth 1SSLOptions +StdEnvVars +ExportCertData
![Page 34: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/34.jpg)
The Rest API
# http://docs.puppetlabs.com/guides/rest_api.html
https://master:8140/{environment}/{resource}/{key}
available on puppet master
and on VERY ancient agents (listen=true)
![Page 35: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/35.jpg)
Puppet REST API URI examples
GET /{environment}/catalog/{node certificate name}
GET /{environment}/file_bucket_file/md5/{checksum}
GET /{environment}/facts/{node certname}
![Page 36: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/36.jpg)
Permissions
http://docs.puppetlabs.com/guides/rest_auth_conf.html
# auth.conf
# allow all nodes to store their own reportspath ~ ^/report/([^/]+)$method saveallow $1
![Page 37: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/37.jpg)
SSL-enabled curl example
Use your certificates and discover the API:
curl \--cert /var/lib/puppet/ssl/certs/host.pem \--key /var/lib/puppet/ssl/private_keys/host.pem \--cacert /var/lib/puppet/ssl/ca/ca_crt.pem \-k -H "Accept: yaml" \https://master:8140/production/facts/somehostname
![Page 38: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/38.jpg)
DISTRIBUTED SETUP
![Page 39: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/39.jpg)
Puppet Advanced* Training
![Page 40: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/40.jpg)
Configuration for such a setup
One CA is more than enough:
[master]ca = false
[agent]ca_server = ca.example.com
Optionally, still experimental: DNS SRV records
![Page 41: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/41.jpg)
Chain of trust
Since 3.2.1 you can use intermediate CAs to delegate trust
# http://docs.puppetlabs.com/puppet/3/reference\# /config_ssl_external_ca.html[agent]ssl_client_ca_auth = $certdir/issuer.pem
Tell Apache about your chain:
SSLCertificateChainFile "/path/to/ca_bundle.pem"
![Page 42: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/42.jpg)
It could look like this
+------------------------+ | Root self-signed CA | +------+----------+------+ | | +----------+ +------------+ | | v v+-----------------+ +----------------+| Master CA | | Agent CA |+--------+--------+ +--------+-------+ | | v v+-----------------+ +----------------+| Master SSL Cert | | Agent SSL Cert |+-----------------+ +----------------+
![Page 43: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/43.jpg)
SSL Professional?
integrate it in your existing hierarchy
use your own toolchain
ship signed certificates (carefully)
![Page 44: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/44.jpg)
SECURITY
![Page 45: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/45.jpg)
Puppet and security issues
Read Security Disclosures!
https://puppetlabs.com/security/
![Page 46: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/46.jpg)
Thank Heartbleed!
docs.puppetlabs.com/trouble_remediate _heartbleed_overview.html
docs.puppetlabs.com/latest/reference /ssl_regenerate_certificates.html
![Page 47: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/47.jpg)
A specific security problem
Very interesting and worth to read: CVE-2011-3872
"In versions prior to 2.6.12 and 2.7.6, the Puppet CA willimproperly insert any certdnsnames values into agentcertificates as well as master certificates. This bug wasintroduced in Puppet 0.24.0."
puppet master --configprint certdnsnamespuppet, puppet.example.com
![Page 48: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/48.jpg)
Study it!
http://links.puppetlabs.com/cve20113872_remediation
Have a look at the remediation toolkit
And to be on the safe side, check your agent certs:
openssl x509 -in test.example.com.pem -noout -text | \grep 'Subject Alt' -A 1
X509v3 Subject Alternative Name: DNS:test.example.com, DNS:puppet, DNS:puppet.example.com
![Page 49: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/49.jpg)
WARNING
"upgrading" doesn't fix a mess like this
old certificates would remain valid
you have to switch to a new CA...
...and this leads us to the next topic
![Page 50: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/50.jpg)
CA LIFECYCLE MANAGEMENT
![Page 51: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/51.jpg)
Bad news
Puppet should allow for automatic resigning of SSL certs
http://projects.puppetlabs.com/issues/7272
There is no such thing in Puppet
"...will be available with Puppet Sites"
![Page 52: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/52.jpg)
YOU ARE ON YOUR OWN
![Page 53: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/53.jpg)
One way of replacing a CA
stop all agents
throw away their certificates
create a new CA with a new name
start your agents
sign their new CSRs
![Page 54: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/54.jpg)
CA...
master: rm -rf $(puppet master --configprint ssldir)agents: rm -rf $(puppet agent --configprint ssldir)
# default ca_name: "Puppet CA: <master certname>"CERTNAME=$(puppet master --configprint certname)TS=$(date +%Y-%m-%d)puppet cert --generate \--ca_name "Puppet CA: $CERTNAME <$TS>" $CERTNAME \--dns_alt_names puppet,puppet.example.com
puppet cert --allow-dns-alt-names sign $CERTNAME
![Page 55: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/55.jpg)
You could also
get inspired by the remediation kits
write your own SSH loop
fix it with MCollective (carefully!)
open new feature requests
![Page 56: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/56.jpg)
Don't like trouble?
Before generating your CA:
[master]ca_ttl = 20y
Leave your company in time
NB: expiration > 2038-01-19 == bad idea
![Page 57: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/57.jpg)
BTW: WE ARE HIRING ;-)
![Page 58: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/58.jpg)
Thank you for your attention!
![Page 59: Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained](https://reader034.vdocuments.net/reader034/viewer/2022050922/55781ba6d8b42ab40c8b4dba/html5/thumbnails/59.jpg)
Questions?
class puppetcamp {
package { 'questions': ensure => answered }
}