Tech:SSL certificates

SSL certificates and CSRs can be generated on mw1 using a shell script (acme-tiny) to simplify and standardize the process.

LetsEncrypt
Let's Encrypt is a Certificate Authority that issues free SSL certificates. While it's a nice project, their own Let's Encrypt client is terrible, and getting the actual certs is a bit tricky (compared to other CAs). I'll explain that here. We'll use the acme-tiny client, which is a few thousand times better than the official client.


 * Generating a CSR:
 * Generating a LetsEncrypt SSL Certificate:
 * Renewing a LetsEncrypt SSL Certificate:

The domain is the fully qualified domain name that will be used as the common name in the certificate and will be the issued domain. The -g option generates a LetsEncrypt SSL certificate for the domain and the -r option renews (regenerates) a LetsEncrypt certificate if the private key exists at the correct location.

All generated files are stored in /root/acme-tiny/ssl/ in the form of $domain.{key|csr|crt}.

Puppet-users
Puppet-users are system administrators that have access to puppet1. This allows them to add the private-keys obtained from mw1, therefore Operations do not necessarily need to be involved in the process of adding certs.