ca.conf

The ca.conf file configures settings for the Puppet Server Certificate Authority (CA) service. For an overview, see Puppet Server Configuration.

Signing settings

The allow-subject-alt-names setting in the certificate-authority section enables you to sign certificates with subject alternative names. It is false by default for security reasons but can be enabled if you need to sign certificates with subject alternative names. Be aware that enabling the setting could allow agent nodes to impersonate other nodes (including the nodes that already have signed certificates). Consequently, you must carefully inspect any CSRs with SANs attached. puppet cert sign previously allowed this via a flag, but puppetserver ca sign requires it to be configured in the config file.

The allow-authorization-extensions setting in the certificate-authority section also enables you to sign certs with authorization extensions. It is false by default for security reasons, but can be enabled if you know you need to sign certificates this way. puppet cert sign used to allow this via a flag, but puppetserver ca sign requires it to be configued in the config file.

Infrastructure CRL settings

Puppet Server is able to create a separate CRL file containing only revocations of Puppet infrastructure nodes. This behavior is turned off by default. To enable it, set certificate-authority.enable-infra-crl to true.