I was wondering if it would be a good idea to use short lived certs like certs issues by Let’s Encrypt for the use by the Foreman? As everything uses the certs created by installer to communicate I’m not sure if things will start breaking if you have to change the cert every 3 months.
The other consideration is that the Foreman would then be using a a generic intermediary cert with Puppet and I don’t know if that was exactly the intent to prevent any cert to verify against the puppet server or if it needs to be it’s own CA that issues the chain.
If it is viable to use a provider like Let’s Encrypt, won’t it be a good idea to build the functionality for the installer to requests the certs from Let’s Encrypt automatically and maintain the key rotation once the Forman is running in production? My security team is not too happy to use the default self signed certs and with the option to use Let’s Encrypt what do you suggest? Even normal certs now only have a validity period of a year.
As I’m using the Foreman in a locked down environment I don’t see the specific need for OV or even EV certs by Foreman.