README.md

Puppet is now shipping a CA cert bundle!

This repository is archived and Perforce will no longer be updating this repository. For more information, see this Puppet blog post.

The "canonical", up-to-date Cert Authority bundle currently provides many root certificates. We grab the Mozilla 'certdata.txt', use the 'certdata2pem.py' script from Red Hat to split that into PEM files, and remove anything that is untrusted (i.e. with anything in the distrust= field), or doesn't explicitly list serverAuth in the openssl-trust field. The result lines up with the linked curl bundle above.

Build Instructions

• Run make refresh-certs to download new certs, clean out those we do not want, and format them for this repo
• Run make prepare to create the cert bundle and keystore that will be installed in puppet-runtime builds

Install Instructions

• Run make install to copy the already prepared PEM and JKS cert bundles and set permissions on the installed files.
• On FIPS hosts, run make install-fips instead.

Release

• Tag the puppet-ca-bundle project with the next version number
• Update the configs/components/puppet-ca-bundle.json file in puppet-runtime with the new version
• An automatic tagging job will tag puppet-runtime and kickoff build pipelines