From 3340418e0688e76c84e1fd6e320d636e8d34c2af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Wed, 10 Apr 2024 12:41:02 -0400
Subject: [PATCH] document some of my research on TLS cert management in Puppet

---
 howto/tls.md | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/howto/tls.md b/howto/tls.md
index 8f008a8c..745aa7ed 100644
--- a/howto/tls.md
+++ b/howto/tls.md
@@ -459,10 +459,28 @@ systems and see if we can reduce the number of CAs.
 
 ## Alternatives considered
 
-The `auto-ca` machinery could be replaced by Puppet code. We could
-also leverage the ACME protocol designed by letsencrypt to run our own
-CA instead of just OpenSSL, although that might be overkill. In
-general it might be preferable to reuse an existing solution than
+The `auto-ca` machinery could be replaced by Puppet code. Here are
+modules that might be relevant:
+
+ - [mmack/cfssl](https://forge.puppet.com/modules/mmack/cfssl/): interfaces [Cloudflare's cfssl](https://github.com/cloudflare/cfssl) "PKI/TLS swiss
+   army knife"
+
+ - [rehan/easyrsa](https://forge.puppet.com/modules/rehan/easyrsa): wrapper around [easy-rsa](https://github.com/OpenVPN/easy-rsa), itself a wrapper
+   around OpenSSL, not well documented
+
+ - [Aethylred/keymaster](https://forge.puppet.com/modules/Aethylred/keymaster/readme): handle X509 CAs, but also SSH host keys,
+   which might be in conflict with our existing code
+
+ - [puppet/openssl](https://forge.puppet.com/modules/puppet/openssl): a bit bare-bones, no revocation support
+
+Trocla also has support for [x509 certs](https://github.com/duritong/trocla#x509) although it assumes there
+is already a CA present, and it [does not support EC keys](https://github.com/duritong/trocla/issues/82).
+
+We could also leverage the ACME protocol designed by Let's Encrypt to
+run our own CA instead of just OpenSSL, although that might be
+overkill.
+
+In general, it would be preferable to reuse an existing solution than
 maintain our own software in Make.
 
 ### Other Certificate Authorities
-- 
GitLab