I'm investigating whether I can somehow make the puppet ecosystem utilize our existing Microsoft Enterprise CA rather than being its own CA.
Since puppet touts that all of the system is "standard SSL", my guess is that it is completely possible to do this without much changing of puppet, HOWEVER it's likely a huge manual headache unless puppet is edited to make the proper calls to the enterprise CA.
Has anyone tried this before? Is it a "here be dragons, turn away!" situation?
The certificate validation and hierarchy behavior in puppet is indeed standard SSL, but it's kind of a partial implementation of the standards - there's a long-standing feature request out there to improve its support for more complicated deployments.
If the goal is to get certificate issuance and approval moved over to the AD Certificate Services system (and never type
puppet cert signagain), then you're probably out of luck without some software development work.The client uses Puppet's own REST API to handle making certificate requests, fetching signed certificates, AIA and CRL access, etc.; you'd need to implement glue between those API calls and the AD Certificate Services RPC access points.
But, if you're just looking for your Puppet certificates to be in trust chain under your AD CS root, then sysadmin1138's recommendation should work great (though I haven't tested it either - I'll find some time to do that and update you).
The Puppet clients will treat the intermediate Puppet CA as if it were a root CA (which will yield working validation without them needing knowledge of the root), while still being valid descendants of the real root CA.