Disabling autosigning

By default, the autosign setting in the [server] section of the CA’s puppet.conf file is set to $confdir/autosign.conf. The basic autosigning functionality is enabled upon installation.

Depending on your installation method, there might not be an allowlist at that location after the Puppet Server is running:

• Open source Puppet: autosign.conf doesn’t exist by default.

• Monolithic Puppet Enterprise (PE) installations: All required services run on one server, and autosign.conf exists on the primary server, but by default it's empty because the primary server doesn’t need to add other servers to an allowlist.

• Split PE installations: Services like PuppetDB can run on different servers, the autosign.conf exists on the CA server and contains an allowlist of other required hosts.

If the autosign.conf file is empty or doesn’t exist, the allowlist is effectively empty. The CA Puppet primary server doesn’t autosign any certificates until the the autosign setting’s path is configured, or until the default autosign.conf file is a non-executable allowlist file. This file must contain correctly formatted content or a custom policy executable that the Puppet user has permission to run.

To explicitly disable autosigning, set autosign = false in the [server] section of the CA Puppet primary server’s puppet.conf. This disables CA autosigning even if the autosign.conf file or a custom policy executable exists.

For more information about the autosign setting in puppet.conf, see the configuration reference.