salt icon indicating copy to clipboard operation
salt copied to clipboard

Published 20 hours ago verified publisher icon saltstack

Update multimaster_pki.rst

Open ironman627 opened this issue 3 years ago • 2 comments

Previous verbiage gave the impression that a separate "signing" server can be used to prevent the copying of private keys (ie. master.pem) across the network. The problem is that the process to generate a signature file requires both the master.pem (from the original master) and the master_sign.pem (from the signing master) to be on the same box. This would require either copying the appropriate pem file from one master to another. Unfortunately, there is no current way around copying the pem files if you are trying to implement a separate master signing server. This process turns an existing master into a signing server to reduce overhead of auth-requests coming from minions attached to it.

What does this PR do?

Corrects the inference that a separate signing master server prevents the copying of private keys across the network.

ironman627 avatar Apr 18 '22 17:04 ironman627

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey. Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. If you have additional questions, email us at [email protected]. We’re glad you’ve joined our community and look forward to doing awesome things with you!

welcome[bot] avatar Apr 18 '22 17:04 welcome[bot]

@ironman627 this isn't accurate; when "master_sign_pubkey" and "master_use_pubkey_signature" opts are set, only the pubkey signature is needed on the masters, not the pem/pub itself. the signing key never needs to be transferred

mattp- avatar May 23 '25 17:05 mattp-

Congratulations on your first PR being merged! :tada:

welcome[bot] avatar Jun 25 '25 23:06 welcome[bot]