Automatic management of SSL certificate on multiple servers…good or bad

We're using puppet to manage a group of Ubuntu boxes and will shortly require each of these servers to share a common SSL certificate, in order to serve a site over HTTPS. Naturally, we'd like to use puppet to manage the certificate but are conscious of the fact that putting it in a VCS (from where the puppet master gets its modules) mightn't be a great idea—because of the security implications.

Are there any better solutions anyone is aware of?


Disclosure: I am one of the developers of Puppet.

The general practice is to use a special file server mount that offers the content, and then have an ACL on that allowing only the specific systems to get at the files. That allows you to use a source => 'puppet://...' specification without having to have it come from the same place as the other modules.

You might also look to the hiera-gpg module, as documented here, source here. That allows some protection for the content in terms of exposure, so that only approved people, and folks with sufficient access to the Puppet master they could hack the code to get the data, could read it.