Configure Security Compliance Management mTLS certificates
If you want to manually provide your own mTLS certifications, follow this process to generate certificates for Security Compliance Management in Puppet Enterprise (PE). If you are using automatically generated mTLS certificates, you can skip this.
Certificates are required when setting up Security Compliance Management for the following interactions:
- Interactions between Security Compliance Management and Puppet Enterprise. Interactions between Security Compliance Management and Puppet Enterprise require correct configuration of the CA certificate. Any issues with the CA certificate with regard to communication between Security Compliance Management and Puppet Enterprise result in an error on the Security Compliance Management UI.
- Agent runs. If you have set up the Security Compliance Management module to download the assessor from the Security Compliance Management server (as opposed to being hosted locally), the assessor is downloaded using Mutual Transport Layer Security (mTLS) with the client certificate from the node. The Security Compliance Management mtls-proxy component requires the configured TLS and CA certificate.
- Scan task runs. Running a scan sends reports back into Security Compliance Management via an HTTP POST. This POST goes through the mtls-proxy and uses mTLS with the client certificate from the node.
Configuring Security Compliance Management TLS certificates involves first generating the certificates in Puppet Enterprise (PE) and then setting up mTLS in during installation or using the configure plan. mTLS enables a secure authenticated connection between your nodes and Security Compliance Management.
For information on troubleshooting problems with certificates, see Troubleshooting mTLS issues in Security Compliance Management.
- SSH into your Puppet Enterprise primary server and generate the
certificates:
puppetserver ca generate --certname <SCM-HOSTNAME>
This command does the following:
- Saves the private key to
/etc/puppetlabs/puppet/ssl/private_keys/<SCM-HOSTNAME>.pem
- Saves the certificate to
/etc/puppetlabs/puppet/ssl/certs/<SCM-HOSTNAME>.pem
- Saves the private key to
- If you have already installed Security Compliance Management, run the
complyadm::configure
plan. If you have not installed Security Compliance Management, you are prompted to manually enter your mTLS certificate information during installation, so have this information ready. - When prompted, choose to manually configure your mTLS certificate. You need to provide a TLS certificate chain, private key, and certificate revocation list (CRL).
- Finish configuring or installing Security Compliance Management.