Utilizing an alternate CA (Like Microsoft Certificate Services) with Puppet

puppet ssl-certificate certificate-authority

The certificate validation and hierarchy behavior in puppet is indeed standard SSL, but it's kind of a partial implementation of the standards - there's a long-standing feature request out there to improve its support for more complicated deployments.

If the goal is to get certificate issuance and approval moved over to the AD Certificate Services system (and never type puppet cert sign again), then you're probably out of luck without some software development work.

The client uses Puppet's own REST API to handle making certificate requests, fetching signed certificates, AIA and CRL access, etc.; you'd need to implement glue between those API calls and the AD Certificate Services RPC access points.

But, if you're just looking for your Puppet certificates to be in trust chain under your AD CS root, then sysadmin1138's recommendation should work great (though I haven't tested it either - I'll find some time to do that and update you).

The Puppet clients will treat the intermediate Puppet CA as if it were a root CA (which will yield working validation without them needing knowledge of the root), while still being valid descendants of the real root CA.

Related

Error removing physical disk marked as Retired
Can I add Samba users without having to add UNIX ones?
DNS resolution fails in web browser but nslookup succeeds
Configure Squid as an HTTPS forward proxy?
Running docker in VPC and accessing container from another VPC machine
Prevent fork bomb inside docker container
iproute multiple ADSL load balancer through VM
Triggering Jenkins build for merge request from GitLab web hook
Native VLAN mismatch and missing VLAN?
How to uninstall an uninstalled app from the App Store?
Can I give away my iPhone apps with my phone?
How do you convert video within 10.7 without any 3rd party software