如何更改puppetmaster证书默认的使用期限
零基础学习Puppet自动化配置管理系列文档PuppetMaster默认签发时间是5年,也就意味着5年后所有证书都会过期,过期意味着不可用,想想看成千上万台服务器都经过了CA的签发,到时候重新签是多么可怕的一件事情啊。那么有什么版本能将证书的过期时间延长呢?
查看证书目前有效期
# openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem | grep -i validity -A 2 Validity Not Before: Aug 31 09:19:25 2014 GMT Not After : Aug 31 09:19:25 2019 GMT可以看出证书的有效期为5年,那么如何改成10年呢。
步骤如下:1、删除之前的CA
# rm -rf /var/lib/puppet/ssl备注:删除之前,你之前签的所有证书都不可用了哦,慎重!
2、编辑配置文件puppet.conf
# cat /etc/puppet/puppet.conf user = puppet group = puppet vardir = /var/lib/puppet confdir = /etc/puppet logdir = /var/log/puppet rundir = /var/run/puppet ssldir = $vardir/ssl pluginsync = trueprivatekeydir = $ssldir/private_keys { group = service }hostprivkey = $privatekeydir/$certname.pem { mode = 640 }hostprivkey = $privatekeydir/puppetca.pem { mode = 640 }autosign = $confdir/autosign.conf { mode = 664 } server = puppetmasterca_server = puppetca classfile = $vardir/classes.txt localconfig = $vardir/localconfig runinterval=86400 report = true authconfig = /etc/puppet/namespaceauth.conf usecacheonfailure = false certname = kspupt-ca1default_schedules = falsemasterport = 8140environment = prdlisten = falsesplay = falsenoop = falseshow_diff = falseconfigtimeout = 120autosign = $confdir/autosign.conf { mode = 664 }confdir= /etc/puppetcertname = puppetcaca = trueca_ttl = 10y #添加这个字段3、重新生成CA服务器
# puppetcert --generate --dns_alt_names puppetca:puppet puppetcaNotice: Signed certificate request for caNotice: puppetca has a waiting certificate requestNotice: Signed certificate request for puppetcaNotice: Removing file Puppet::SSL::CertificateRequest puppetca at '/var/lib/puppet/ssl/ca/requests/puppetca.pem'Notice: Removing file Puppet::SSL::CertificateRequest puppetca at '/var/lib/puppet/ssl/certificate_requests/puppetca.pem'4、查看现有CA服务器生成证书的有效期
# openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem | grep -i validity -A 2 Validity Not Before: Oct 20 01:51:00 2014 GMT Not After : Oct 18 01:51:00 2024 GMT#可以看出证书的有效期变成了10年,赞不赞!
页:
[1]