[Pulp-list] pulp and puppet certificates
Trevor Vaughan
tvaughan at onyxpoint.com
Wed Sep 10 22:08:12 UTC 2014
All of the certs in both Puppet and Pulp are simply X.509 key pairs.
You absolutely *can* use the same certs for both, the question is whether
or not you want your subsystems on the same trust chain across your systems.
I personally like the separation of my Puppet key infrastructure from all
others since it's effectively the keys to the kingdom on all of your nodes.
I don't like the idea of a less trusted service (Pulp) being able to access
my Puppet keys.
That said, environments are different and you certainly can use the same
keys for everything.
Trevor
On Wed, Sep 10, 2014 at 1:33 PM, James <purpleidea at gmail.com> wrote:
> On Wed, Sep 10, 2014 at 1:21 PM, Cristian Falcas
> <cristi.falcas at gmail.com> wrote:
> > Hello,
> >
> > Can we use pulp with the certificates generated by puppet?
> >
> > What should be done for this? Can we replace the pulp signing of
> > certificates with what puppet does? Or do we need to use the same master
> ca
> > files from puppet for pulp also?
> >
> > Best regards,
> > Cristian Falcas
> >
>
> What would be really nice is if all the cert management puppet does
> was replaced by FreeIPA...
>
> IIRC, this has been demonstrated, and documented, but it's not common
> practice yet.
>
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list
>
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan at onyxpoint.com
-- This account not approved for unencrypted proprietary information --
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20140910/d2584b31/attachment.htm>
More information about the Pulp-list
mailing list