Using puppet to distribute Apache SSL certificates

Is it a bad idea to distribute Apache SSL certificates via puppet? Is it insecure to do it this way? Is there a better way to distribute SSL certs to lots of servers?


I've seen this done before. It's only as insecure as your network/destination servers make it. Only you know that. Are you transmitting these over a secure network? If so, you SHOULD be fine. But we can't possibly guarantee that. Why not write a simple ssh script to distribute them? That's what I would recommend. Or write a script to download the cert from a central server and distribute the script via puppet. Just an idea.

EDIT: Since there is some confusion. I'm NOT saying Puppet/SSH are anymore secure. But if you're worried about unauthorized access, ensure everything is secure. This is most easily done with a custom SSH script YOU distribute.


This is too old but I'm going to answer anyway.

You can encrypt private keys using eyaml and let puppet do the install. This way you are sure that key data is encrypted even on hiera and it is safely delivered to the node while agent is run.