Client.pem file for nodes

At another job we downloaded one client.pem file for every node we deployed in chef. Is that good practice? If so do you create a generic client node user? How would you obtain that client pem? Or do you use your user pem file when you bootstrap a client node?


Generally when you bootstrap a node, 2 objects get created:

  • The node object
  • The client object

The latter is what the certificate is tied to, I believe.

It’s important to ensure that you generate a certificate per node, as this is the node’s “user”, and ultimately, its credentials. When you delete a node, you want to ensure that the node can’t communicate with the Chef server any more. Sharing client certificates compromises your ability to do that.

Honestly, I’m not too sure even how that would work. If you use knife bootstrap the process is transparent to you - the process either uses the validator to provision a new certificate, or the certificate is pre-created during node/client object creation.

PS: If you want to take advantage of chef-vault, having one certificate per node is imperative, as that’s what the data is selectively encrypted against.

This is correct. You can think of a client as an “API key account” for a machine. The node is just the data for that machine.

To vancluever’s response I would just add that for unattended install scenarios, you would need to bake the validator key into your AMI/ISO/whatever. The validator is a special account that can create new clients and not much else.

Awesome thanks.