I am currently using Puppet to automate infrastructure within a cloud offering, Amazon Web Services (AWS) for those interested!.
As part of deployment of new instances, I require the client certificate to be automatically signed by the Puppet master server to immediately begin the configuration.
This can be achieved by allowing the master server to automatically sign all clients (*) certificates, as below:
$ cat /etc/puppet/autosign.conf *
However, this can be perceived to be a security risk as any machine could connect without authorisation and request manifest files which may contain sensitive information. I suppose one other option could be use a filter based on a naming convention (in the below example, the DNS name is used as a match) used internally as below, but again the solution saves time but does not remove the security risk.
$ cat /etc/puppet/autosign.conf *.dean.local
For those using AWS, I found a great article at http://www.codelord.net/2010/12/19/using-puppet-to-automatically-configure-new-ec2-instances where using the EC2 API tools to get the DNS name of the deployed instance and adds this as a trusted client to /etc/puppet/autosign.conf. This then can be run as a CRON job to automatically sign the client certificates on the master server.