What do all these public and private keys do?

Sean Horn -


This key is generated by the server when a new User is created.
A person needs this key to authenticate against a Chef Server when doing things with knife or other possible client programs.

Validator Client

This key is generated during the creation of an organization on a Chef Server, or during bootstrap of the entire system on open source chef.
The most important use for a validator client is as a proxy during node/client creation.

The validator client is already trusted by the Chef Server and the chef-client uses it to generate a public/private keypair specifically for a given chef-client. The default name of the Validator Client is "ORGNAME-validator" on Chef Server 12. The default name on open source chef 11 is "chef-validator"


The private key generated using the validator client by the chef-client during initial registration with a Chef Server. Once the custom client has been created, the validator client can be removed from the managed node, as the custom client will be used for all subsequent operations. The default custom client name is the hostname of the system for which it has been generated.


Client == Public/Private Key pair

Further information on keys. https://docs.chef.io/chef_private_keys.html

Further information on Authentication with a Chef Server. https://docs.chef.io/auth.html

Validator and client.pem specifically - http://docs.chef.io/chef_client.html#chef-validator

The important parts of knife.rb or client.rb are these http://docs.chef.io/config_rb_knife.html

node_name - An overloaded term which either means "The user using knife", or "The hostname of the node running a chef-client". This name must match the username or node_name used with knife or chef-client, respectively

client_key - Location of the client key on your workstation/managed node. By default when using knife ".chef/USERNAME.pem" under the current directory, and when running a chef-client, "/etc/chef/client.pem".

validation_client_name - Name of the validator client. By default "ORGNAME-validator"

validation_key - Location of the validator key on disk. By default .chef/ under the current directory or /etc/chef/validation.pem when using knife or chef-client respectively.

Have more questions? Submit a request


Powered by Zendesk