4.10.3. Checking Your SIMP PKI Communication

SIMP comes with a fully functional Public Key Infrastructure in the guise of an aptly named Fake CA.

The Fake CA can be very useful for getting your environment running prior to obtaining proper certificates from an official CA.


The Fake CA is not hardware backed by default and should not be used for sensitive cryptographic operations unless there is no other alternative

Each Puppet environment that is part of a SIMP Omni-Environment contains its own Fake CA. That Fake CA is located within the corresponding SIMP Secondary Environment. Basic Server Setup Check

Just as with Puppet certificates, the time on your system must be correct and your DNS must be fully functional. Check that these are correct before proceeding. Fake CA Setup Check

For the remainder of this section, we will assume the following:

  • The active Puppet environment returned by puppet config print environment is part of a SIMP Omni-Environment.

  • The FQDN of the system with issues is system.my.domain.

  • The LDAP server to which system.my.domain is attempting to connect is ldap.my.domain.

  1. Change directories to the keydist directory for the active Puppet environment’s Fake CA.

    # cd /var/simp/environments/`puppet config print environment`/site_files/pki_files/files/keydist
  2. Validate the client system. When validating certificates, you want to make sure that there are no errors regarding your certificate or CA. Ideally, the command will simply return the string ‘OK’.

    # openssl verify -CApath cacerts system.my.domain/system.my.domain.pub
  3. Validate the LDAP system.

    # openssl verify -CApath cacerts ldap.my.domain/ldap.my.domain.pub

If there are any issues, you may need to follow the steps in Apply Certificates to generate new certificates for one or more of your hosts.