Open YAMLcase opened 9 months ago
It would be great if a dry-run could also return the thumbprint and, in addition, if the certificate is in good health. The ability to check if Vcert will actually do something would help avoid unnecessary authentication requests. Returning the thumbprint would help with certificate-based authentication and would make it easier to test AfterInstallActions that require the thumbprint.
BUSINESS PROBLEM We are migrating from manual provisioning to a vcert playbook world with thousands of bespokely managed certificates. vcert playbook feature is too quick to enroll a certificate if it finds issues with the underlying cert files (i.e. cannot read, passphrase wrong, missing files, wrong directory, etc). There needs to be a way to have vcert perform a dry run so operators have an opportunity to fix the issues before just enrolling a new certificate.
PROPOSED SOLUTION some ideas come to mind:
--dry-run
option toplaybook run
. This would perform all the actions up until the enroll process and quit.vcert checkcert
command to perform an audit to make sure the files are readable, passphrase is correct, etc.exit 0
before moving on to the request. This would not be unlike theafterInstallAction
command, but to be done first.CURRENT ALTERNATIVES I am not aware of any alternatives. Currently I perform due diligence as best I can and then cross fingers and pray while issuing the command
vcert run -f playbook.yml
VENAFI EXPERIENCE about 3 months. vcert playbook feature has a lot of potential, I'm eager for more resilient features.