- From: Arnold Krille <
>
- To:
- Subject: [chef] Re: Re: Re: Re: Deploying User Private Keys
- Date: Thu, 6 Feb 2014 21:14:50 +0100
On Thu, 06 Feb 2014 15:54:30 +0100 Alfredo Palhares
<
>
wrote:
>
Hello Arnold,
>
>
> If its the server contacting the clients: The server should publish
>
> its public-key within chef and the clients will fetch that on their
>
> chef-run and configure it.
>
Yes but that would need to for me to publicate the CA key(private)
>
too, now only the cert(public key)
>
>
> If its keys so the clients can contact the server: Create the
>
> key-pairs on the client and publish the public keys in chef so the
>
> server can search for them and add them to the local store.
>
They're are gnutls (certtool generated) keys.
So that looks more like a use-case for the x509-cookbook and the
contained knife-ssl:
https://github.com/VendaTech/chef-cookbook-ssl
Have the server create its private key and a self-signed public key,
the publish a csr that is signed by knife-ssl on a machine with the CA.
Then the public-cert is pushed to Chef-server where both the server
gets it to replace its own self-signed one and the clients can fetch it
if needed. Or they just trust the public part of the CA.
I might not understand your concret problem (mostly because I have no
clue what taskwarrior is), but rule of thumb:
A private key that leaves the machine where its created is rendered
insecure and not trustworthy anymore.
Only exception might be when its an ssl-certificate for load-balanced
services.
Have fun,
Arnold
Attachment:
signature.asc
Description: PGP signature
- [chef] Re: Deploying User Private Keys, (continued)
Archive powered by MHonArc 2.6.16.