标签:puppetca有效期 puppet更改证书有效期 puppet实战
零基础学习Puppet自动化配置管理系列文档
PuppetMaster默认签发时间是5年,也就意味着5年后所有证书都会过期,过期意味着不可用,想想看成千上万台服务器都经过了CA的签发,到时候重新签是多么可怕的一件事情啊。那么有什么版本能将证书的过期时间延长呢?
查看证书目前有效期
[root@kspupt-ca1 ~]# openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem | grep -i validity -A 2 Validity Not Before: Aug 31 09:19:25 2014 GMT Not After : Aug 31 09:19:25 2019 GMT
可以看出证书的有效期为5年,那么如何改成10年呢。
1、删除之前的CA
[root@kspupt-ca1 ~]# rm -rf /var/lib/puppet/ssl
备注:删除之前,你之前签的所有证书都不可用了哦,慎重!
2、编辑配置文件puppet.conf
[root@kspupt-ca1 ~]# cat /etc/puppet/puppet.conf
[main]
user = puppet
group = puppet
vardir = /var/lib/puppet
confdir = /etc/puppet
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
pluginsync = true
privatekeydir = $ssldir/private_keys { group = service }
hostprivkey = $privatekeydir/$certname.pem { mode = 640 }
hostprivkey = $privatekeydir/puppetca.pem { mode = 640 }
autosign = $confdir/autosign.conf { mode = 664 }
[agent]
server = puppetmaster
ca_server = puppetca
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
runinterval=86400
report = true
authconfig = /etc/puppet/namespaceauth.conf
usecacheonfailure = false
certname = kspupt-ca1
default_schedules = false
masterport = 8140
environment = prd
listen = false
splay = false
noop = false
show_diff = false
configtimeout = 120
[master]
autosign = $confdir/autosign.conf { mode = 664 }
confdir = /etc/puppet
certname = puppetca
ca = true
ca_ttl = 10y #添加这个字段3、重新生成CA服务器
[root@kspupt-ca1 ~]# puppet cert --generate --dns_alt_names puppetca:puppet puppetca Notice: Signed certificate request for ca Notice: puppetca has a waiting certificate request Notice: Signed certificate request for puppetca Notice: Removing file Puppet::SSL::CertificateRequest puppetca at ‘/var/lib/puppet/ssl/ca/requests/puppetca.pem‘ Notice: Removing file Puppet::SSL::CertificateRequest puppetca at ‘/var/lib/puppet/ssl/certificate_requests/puppetca.pem‘
4、查看现有CA服务器生成证书的有效期
[root@kspupt-ca1 ~]# openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem | grep -i validity -A 2 Validity Not Before: Oct 20 01:51:00 2014 GMT Not After : Oct 18 01:51:00 2024 GMT [root@kspupt-ca1 ~]#
可以看出证书的有效期变成了10年,赞不赞!
微信公众号:puppet2014,可微信搜索加入,也可以扫描以下二维码进行加入
微信公众号
QQ交流群:296934942
本文出自 “www.kisspuppet.com” 博客,请务必保留此出处http://dreamfire.blog.51cto.com/418026/1566168
标签:puppetca有效期 puppet更改证书有效期 puppet实战
原文地址:http://dreamfire.blog.51cto.com/418026/1566168
