autosign.conf: Basic certificate autosigning
autosign.conf file can allow certain
certificate requests to be automatically signed. It is only valid on the CA primary Puppet server; a primary server not serving as a CA does not
autosign.conf allowlist but more
complex to configure.
For more information, see the documentation about certificate autosigning.
Puppet looks for
$confdir/autosign.conf by default. To change this path, configure
the autosign setting in the
server] section of
The default confdir path depends on your operating system. See the confdir documentation for more information.
must not be executable by the primary server user account. If the
autosign setting points to an executable file,
Puppet instead treats it like a custom policy
executable even if it contains a valid
autosign.conf file is a line-separated
list of certnames or domain name globs. Each line represents a node name or group of
node names for which the CA primary server automatically signs certificate requests.
Domain name globs do not function as normal globs: an asterisk can only represent one
or more subdomains at the front of a certname that resembles a fully qualified
domain name (FQDN). If your certnames don’t look like FQDNs, the
autosign.conf allowlist might not be effective.
can safely be an empty file or not-existent, even if the
autosign setting is enabled. An empty or
autosign.conf file is
an empty allowlist, meaning that Puppet does not
autosign any requests. If you create
autosign.conf as a non-executable file and add certnames to
it, Puppet then automatically uses the file to
allow incoming requests without needing to modify
To explicitly disable autosigning,
autosign = false in
[primary server] section
of the CA primary server's
which disables CA autosigning even if
autosign.conf or a custom policy executable