Using puppet to distribute Apache SSL certificates

puppet apache-2.2 ssl

Is it a bad idea to distribute Apache SSL certificates via puppet? Is it insecure to do it this way? Is there a better way to distribute SSL certs to lots of servers?


I've seen this done before. It's only as insecure as your network/destination servers make it. Only you know that. Are you transmitting these over a secure network? If so, you SHOULD be fine. But we can't possibly guarantee that. Why not write a simple ssh script to distribute them? That's what I would recommend. Or write a script to download the cert from a central server and distribute the script via puppet. Just an idea.

EDIT: Since there is some confusion. I'm NOT saying Puppet/SSH are anymore secure. But if you're worried about unauthorized access, ensure everything is secure. This is most easily done with a custom SSH script YOU distribute.


This is too old but I'm going to answer anyway.

You can encrypt private keys using eyaml and let puppet do the install. This way you are sure that key data is encrypted even on hiera and it is safely delivered to the node while agent is run.

Related

How do I get ssh to run in the background without using -f?
Windows Server 2008 BitLocker
Active Directory max photo size
PERC 6/i | ext4 | raid5 | 4 disks - improve write performance
FreeRADIUS2 and LDAP Authentication
Safely install MDM Certificate in MDM Server
RDP Data encryption error for Windows 7 Clients
Why won't Windows XP firewall use domain settings on boot?
Find out if an Apache module can be disabled from website usage
Do Microsoft Windows OS file versions contain ALL earlier hotfixes?
Using Y split cables to connect two servers to a single PDU receptacle
Non-deterministic behavior of `sudo`