Before we jump into understanding the authentication and authorization mechanisms available in the Chef ecosystem, let's look at the bootstrap process used for the purpose of bootstrapping a new machine using Chef. There are two ways to bootstrap a new node:

In both the cases, unless you are using the chef-client version 12.1 (or higher) and the validator-less bootstrap, you'll require the validator's private key for the first chef-client run on the node. If you are using the Open Source Chef server, this key can be found in /etc/chef-server/chef-validator.pem, whereas, for the Enterprise Chef server, this key will be issued to you during the initial setup.

If you are going to use the knife bootstrap subcommand, this key should be copied over to the machine from where the knife bootstrap subcommand will be invoked. Also, update your knife.rb file on the workstation with the...