Wednesday, October 6, 2010

Overview of a Puppet Split CA architecture

The Puppet Master CA is the only Certificate Authority (CA) in the whole infrastructure. It issues certificates for all Puppet agents. It also manages the Puppet Master systems.

The Puppet Masters are only responsible for compiling catalogs requested by Puppet Agents - they don't act as CA themselves. They only accept Puppet Agents which certificates have been issued by the Puppet Master CA.

The Puppet Agent retrieves their certificates from the Puppet Master CA the first time they run. They connect to the Puppet Masters afterwards to get their catalogs. They won't contact the Puppet Master CA anymore.

Puppet Master CA

The Puppet Master CA manages all Puppet Masters. In particular it distributes its own Certificate Revocation List (CRL) file to every Puppet Master. The Puppet Master CA also issues certificates to Puppet Agents.

Puppet Master

A Puppet Master runs under Apache and Passenger. Apache ssl module is configured to require certificates signed by the Puppet Master CA (/etc/apache2/site-available/puppetmaster):
# Require certificates to be valid
SSLVerifyClient require
SSLVerifyDepth  1

The Puppet Master is also configured to not act as a Puppet CA (/etc/puppet/puppet.conf):
ca = false

Puppet Agent

Puppet Agents retrieve their certificate from the Puppet Master CA and request their catalog from one of the Puppet Masters (/etc/puppet/puppet.conf):
ca_server = PUPPET_MASTER_CA


From a security perspective setting the SSLVerifyClient option to require increases the protection of Puppet Masters from unknown requests and revoked Puppet Agents. Having the Puppet Master CA manage the Puppet Masters also facilitates the distribution of the Puppet Master CA CRL.

On the reliability front new systems won't be added to the infrastructure if the Puppet Master CA is unavailable. However existing Puppet Agents are still functional as long as they can connect to a Puppet Master.


  1. Did you ever implement this or extend on the concept further?

    I would be interested to see your approach to SPOF and dual site-failover resilience using this.

    1. IEEE Cloud computing DOamin is a general term for anything that involves delivering hosted services over the Internet. IEEE Projects on Cloud Computing The cloud is a metaphor for a global network of remote servers which operates as a single ecosystem, commonly associated with the Internet. IEEE FInal Year Project Domains Final Year Projects for CSE cloud computing is the delivery of computing services—including servers, storage, databases, networking, software, analytics, and intelligence

      JavaScript Training in Chennai

      JavaScript Training in Chennai

  2. This is the right weblog for any individual who wants to find out about this topic. You comprehend so much its just about difficult to argue with you (not that I basically would want?-HaHa). You surely put a brand new spin on a subject thats been written about for years. Superb stuff, just amazing! Hadoop Online Training .

  3. hadoop training in hyderabad referred me to this blog to know about latest trends in the IT and staffing related information. Really appreciable information on overview of a Puppet Split CA architecture with diagram. Thank you.

  4. This information is great.It is useful for all in future.I like to read the information.It is very impressing matter.

    hadoop training in chennai

  5. thanks for sharing great blog with us. keep updating more useful information.
    Software Testing Training in Chennai

  6. It is really very helpful for us and I have gathered some important information from this blog.Keep update..

    SEO Training in Chennai

  7. Thanks for sharing the valuable information here. So i think i got some useful information with this content. Thank you and please keep update like this informative details.

    Dotnet Training in Chennai

  8. wow really superb you had posted one nice information through this. Definitely it will be useful for many people. So please keep update like this.

    Hadoop Training in Chennai

  9. This blog is having a wonderful talk. The technology are discussed and provide a great knowledge toall. This helps to learn more details about technology. All this details are important for this technology. Thank you for this blog.
    Hadoop Training in Chennai

  10. Hii you are providing good information.Thanks for sharing if anyone interested SAP APO
    Online training See below

  11. All are saying the same thing repeatedly, but in your blog I had a chance to get some useful and unique information, I love your writing style very much, I would like to suggest your blog in my dude circle, so keep on updates.

    SAP training in Chennai


  12. Truely a very good article on how to handle the future technology. After reading your post,thanks for taking the time to discuss this content.

    PHP Training in Chennai

  13. It’s really amazing that we can record what our visitors do on our site. Thanks for sharing this awesome guide. I’m happy that I came across with your site this article is on point,thanks again and have a great day. Keep update more information..

    J2ee Training in Chennai Thiruvanmiyur

  14. HAve an overview of puppet nice posts..

    Hadoop training in hyderabad.All the basic and get the full knowledge of hadoop.
    hadoop training in hyderabad

  15. Great job and keep blogging,hadoop is the best online training course in hyderabad for more details refer at
    hadoop online training

  16. Well said ,you have furnished the right information that will be useful to anyone at all time.Thanks for sharing your Ideas.
    informatica online training

  17. Very Nice Blog I like the way you explained these things. I’ve been looking for ways to improve my website and overall rankings.I hope your future article will help me further.Take SEO Training in Chennai to mould yourself.

  18. Nice post about hadoop, are you looking for best hadoop online training .