Puppet Encryption and Communication Methods
Puppet interfaces with the OpenSSL toolkit, which is based on SSL and the Transport Layer Security (TLS) cryptographic protocol. Puppet uses standard SSL/TLS encryption technology and standard SSL certificates for Puppet Agent (agent) and Puppet Server (server) authentication and verification. Puppet also uses SSL/TLS to encrypt the traffic flow between the server and agents. The default hash is SHA-256.
The Puppet encryption method performs the following tasks:
-
Authenticates any agent to the server
-
Authenticates the server on any agent
-
Prevents communication eavesdropping between the server and agents
Puppet uses a TLS client-side X.509 certificate to perform mutual host authentication. By default, this information is stored in the /etc/puppetlabs/puppet/ssl directory. This ssl directory contains separate directories for keys, certificates, and signed requests, as well as for those requests that await a signature. These directories exist on the server and on each agent. See Directories: SSLdir.
The server generates its own CA certificate and private key, initializes the Certificate Revocation List (CRL), and then generates another certificate called the server certificate. This certificate handles SSL and TLS communications and is sent to the agent. During the server and agent exchange, the CA is stored in the /etc/puppetlabs/puppet/ssl/ca/signed directory on the server and in the /etc/puppetlabs/puppet/ssl/certs directory on the agent.
Agents automatically request certificates through the server's HTTP endpoint. Use the puppetserver ca command to inspect requests and to sign new certificates.