Here is the problem...
3 years ago we created a multi-datacenter setup, with as little cross-DC resource dependencies as we could make. Different AD sites. Different puppetmasters. Different syslog servers. Different egress firewalls. Different DNS resolvers. Different out-bound mail relays. The works. It was nice, it worked out pretty well.
Now I'm trying to get Mcollective installed so we can do some distributed commanding and get some reporting stuff out of puppet. Currently rules set cron-jobs that run puppet-pushed bash scripts that dump output to NFS shares, this seems like a prime candidate for something like mcollective.
The big problem is that the two puppetmasters are using certificate authorities that don't chain to anything, and Mcollective uses CA-validation as a key part of its authn/authz scheme.
Is it possible to re-sign the CA certs with a 3rd authority, and thus create a single certificate chain?
We already have puppet certs on everything, and golly it would be great if we could reuse those certs. As is, we would be ending up with two island mcollective environments which means our automation has to connect to DC-specific endpoints to do commanding. It would be great if we had a single point for that, especially since activemq can deal with that kind of architecture.
Scriptomatically regenerating all the client certs with the same serial-numbers?
Openssl magic involving -set_serial?
I'd really rather avoid having to re-key all umpty-hundred nodes we have in these puppetmasters, but if that's the only way it can be done then so be it.
