certificate_authority service parameters
These parameters customize the behavior of the PE certificate authority service in relation to agent certificates.
You can modify the following profile class parameters
either in Hiera or in the Configuration data tab for the
PE Certificate Authority infrastructure node group in the
PE console.
puppet_enterprise::profile::certificate_authority::allow_auto_renewal
A Boolean specifying whether to allow automatic renewal of agent certificates.
Default: true
puppet_enterprise::profile::certificate_authority::allow_puppetlabs_certificate_authentication
A Boolean specifying whether to allow authorization of agent certificate
requests using the using the ”pp_cli_auth”:
“true” certificate extension when RBAC tokens are not
available. Token-based authentication is always used where RBAC tokens are
available.
When the value is set to false,
authorization of agent certificate requests is only permitted with RBAC
token-based authentication.
Default: true
puppet_enterprise::profile::certificate_authority::auto_renewal_cert_ttl
A string representing the validity period of automatically generated agent certificates, when an agent is capable of renewing certificates and the auto-renewal feature is turned on.
The value is a duration formatted as a string consisting of a number and a suffix representing a unit of time: s (seconds), m (minutes), h (hours), d (days), or y (years).
Default: 90d
puppet_enterprise::profile::certificate_authority::ca_ttl
A string representing the default validity period of agent certificates when the auto-renewal feature is turned off.
The value is formatted as a string consisting of a number and a suffix representing a unit of time: s (seconds), m (minutes), h (hours), d (days), or y (years).
Default: 5y
puppet_enterprise::profile::certificate_authority::client_allowlist
An array of additional agent cert names that can access the certificate_status API endpoint. This list is
additional to the base PE certificate
list.
