Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Renewing a Puppet CA cert
Renew Puppet CA cert.
Not the perfect idea, but should alleviate the need to resign every cert.
What you need from existing puppet ssl directory:
ca/ca_crt.pem
ca/ca_key.pem
Create an openssl.cnf:
[ca]
default_ca = CA_default # The default ca section
[CA_default]
database = ./index.txt # index file.
new_certs_dir = ./newcerts # new certs dir
certificate = ./ca/ca_crt.pem
serial = ./serial
default_md = sha1 # md to use
policy = CA_policy # default policy
email_in_dn = no # Don't add the email
name_opt = ca_default # SubjectName display option
cert_opt = ca_default # Certificate display option
x509_extensions = CA_extensions
[CA_policy]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[CA_extensions]
nsComment = "Puppet Cert: manual."
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
keyUsage = keyCertSign, cRLSign
Create an empty index.txt file, and a new serial number 00
mkdir newcerts
touch index.txt
echo 00 > serial
Converting existing certificate to a CSR and resign certificate:
openssl x509 -x509toreq -in certs/ca.pem -signkey ca/ca_key.pem -out certreq.csr
openssl ca -in certreq.csr -keyfile ca/ca_key.pem -days 3650 -out newcert.pem -config ./openssl.cnf
Verify new cert vs. old cert:
openssl x509 -text -noout -in certs/ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: pe-master
Validity
Not Before: Apr 4 09:21:26 2011 GMT
Not After : Apr 2 09:21:26 2016 GMT
Subject: CN=Puppet CA: pe-master
openssl x509 -text -noout -in newcert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: pe-master
Validity
Not Before: May 22 19:08:44 2011 GMT
Not After : May 19 19:08:44 2021 GMT
Subject: CN=Puppet CA: pe-master
Make sure the new CA certificate validates existing certificate:
# openssl verify -CAfile ./certs/ca.pem ca/signed/pe-agent.pem
certs/foo.pem: OK
# openssl verify -CAfile ./newcert.pem ca/signed/pe-agent.pem
certs/foo.pem: OK
Replace existing ca cert with new cert.
cd /etc/puppetlabs/puppet/ssl
cp ca/ca_crt.pem{,.bak}
cp newcert.pem ca/ca_crt.pem
Remove CA.pem cert on agent, and it should fetch new ca certificate:
rm /etc/puppetlabs/puppet/ssl/certs/ca.pem
puppet agent -t --noop
info: Caching certificate for ca
...
@mpdude

This comment has been minimized.

Copy link

commented May 9, 2016

As you create the new index.txt and reset the serial numbers – is that necessary because its a new CA? Is that new CA a drop-in replacement for the old one? Will agent certificates continue to work?

@cekstam

This comment has been minimized.

Copy link

commented Jun 8, 2016

@mpdude, I would believe Yes and Yes. Just did it here and all clients are connecting fine from what I can tell.

@bill-mcgonigle

This comment has been minimized.

Copy link

commented May 24, 2017

Thanks, this was really helpful. I have a 3.2.4 puppetmaster (el6) and had to do these additional steps:

on puppetmaster:

cp ca/ca_crt.pem ca/ca_pub.pem
mv signed/puppetmaster-fqdn.pem{,.bak}
service puppetmaster restart

on puppet client:

sudo rm var/lib/puppet/ssl/crl.pem
sudo puppet agent -t

and in a few cases I got 400 & pson errors, in which case I had to re-run puppet agent -t one to three times before it would clear up.

@kirkins

This comment has been minimized.

Copy link

commented Jan 25, 2018

For the openssl.cnf step where did you create the file?

I already have files with that name at:

/etc/ssl/openssl.cnf
/usr/lib/ssl/openssl.cnf
@sinaowolabi

This comment has been minimized.

Copy link

commented Aug 22, 2018

You create it in the "/var/lib/puppet/ssl" dir. Thats what I did.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.