Puppet Server Configuration Files: ca.conf
ca.conf file configures settings for the Puppet Server Certificate Authority (CA) service. For an overview, see Puppet Server Configuration.
Deprecation Note: This file supports only the
client-whitelistsettings, which are deprecated as of Puppet Server 2.2 in favor of authorization that is configured in the new
auth.conffile. Because these settings are deprecated, a default
ca.conffile is no longer included in the Puppet Server package.
certificate-status setting in
ca.conf provides deprecated configuration options for access to the
certificate_statuses HTTP endpoints. These endpoints allow certificates to be signed, revoked, and deleted through HTTP requests, which provides full control over Puppet’s ability to securely authorize access. Therefore, you should always restrict access to
Puppet Enterprise Note: Puppet Enterprise uses these endpoints to provide a console interface for certificate signing. For more information, see Certificate Status.
certificate-status setting takes two parameters:
authorization-required is set to
true or not set, and
client-whitelist is set to an empty list or not set, Puppet Server uses the authorization methods and new
auth.conf format introduced in Puppet Server 2.2 to control access to the administration API endpoints.
authorization-requireddetermines whether a client certificate is required to access certificate status endpoints. If this parameter is set to
false, all requests can access this API. If set to
true, only the clients whose certificate names are included in the
client-whitelistsetting can access the admin API. If this parameter is not specified but the
client-whitelistparameter is, this parameter’s value defaults to
client-whitelistcontains a list of client certificate names that are whitelisted for access to the certificate status endpoints. Puppet Server denies access to requests at these endpoints that do not present a valid client certificate named in this list.
If you are using the deprecated authorization methods, follow this structure to configure
certificate_statuses endpoint access in
ca.conf, whitelisting a client named
# CA-related settings - deprecated in favor of "auth.conf"