4.5.4. Apply Certificates¶
All clients in a SIMP system must have Public Key Infrastructure (PKI)
keypairs generated for the server. These keys reside in the
/var/simp/environments/simp/site_files/pki_files/files/keydist
directory on the
SIMP server and are served to the clients over the puppet protocol.
Note
These keypairs are not the keys that the Puppet server uses for its operation. Do not get the two confused.
See Certificate Management for more information.
This section provides guidance on installing official certificates or, as an interim measure, generating certificates from the Fake (self-signing) Certificate Authority provided by SIMP.
4.5.4.1. Installing Official Certificates¶
Below are the steps to install official certificates for a SIMP client on the SIMP server:
- Copy the certificates received from a proper CA to the SIMP server.
- Add the keys for the node to
/var/simp/environments/simp/site_files/pki_files/files/keydist
.
Type
mkdir -p /var/simp/environments/simp/site_files/pki_files/files/keydist/***<Client System FQDN>***
Type
mv ***<Certificate Directory>***/***<FQDN>***.[pem|pub] \ /var/simp/environments/simp/site_files/pki_files/files/keydist/***<FQDN>***Type
chown -R root.puppet /var/simp/environments/simp/site_files/pki_files/files/keydist
Type
chmod -R u=rwX,g=rX,o-rwx /var/simp/environments/simp/site_files/pki_files/files/keydist
- Create and populate the
/var/simp/environments/simp/site_files/pki_files/files/keydist/cacerts
directory.
- Type
cd /var/simp/environments/simp/site_files/pki_files/files/keydist
- Type
mkdir cacerts
and copy the root CA public certificates into cacerts in Privacy Enhanced Mail (PEM) format (one per file).- Type
cd cacerts
- Type
for file in *.pem; do ln -s $file `openssl x509 -in $file -hash -noout`.0; done
4.5.4.2. Generating Certificates from the Fake CA¶
If server certificates have not or could not be obtained at the time of client installation, SIMP provides a way to create them for the system, so that it will work until proper certificates are provided.
Note
This option should not be used for any operational system that can use proper enterprise PKI certificates.
Below are the steps to generate the certificates using the SIMP-provided, Fake CA.
- Type
cd /var/simp/environments/simp/FakeCA
- Type
vi togen
- Remove old entries from the file and add the Fully Qualified Domain Name (FQDN) of the systems (one per line) for which certificates will be created.
Note
To use alternate DNS names for the same system, separate the names with commas and without spaces.
For example,
.name,alt.name1,alt.name2.
- Type
wc cacertkey
Note
Ensure that the
cacertkey
file is not empty. If it is, enter text into the file; then save and close the file.
- Type
./gencerts_nopass.sh auto
Note
To avoid using the default Fake CA values, remove the
auto
statement from the./gencerts_nopass.sh
command.
Warning
If the clean.sh
command is run after the certificates have been
generated, you will not be able to generate new host certificates under the
old CA. To troubleshoot certificate problems, see the
Troubleshooting Certificate Issues section.
If issues arise while generating keys, type cd /etc/puppetlabs/code/environments/simp/FakeCA
to navigate to the /etc/puppetlabs/code/environments/simp/FakeCA
directory, then type
./clean.sh
to start over.
After running the clean.sh
script, type ./gencerts_nopass.sh
to
run the script again using the previous procedure table.