Skip to content

Instantly share code, notes, and snippets.

@papamoose
Forked from kbarber/gist:6456420
Created November 3, 2017 16:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save papamoose/d22dec424d53c172a0bc39f2cf1f5ae0 to your computer and use it in GitHub Desktop.
Save papamoose/d22dec424d53c172a0bc39f2cf1f5ae0 to your computer and use it in GitHub Desktop.
Renewing a Puppet CA cert
Renew Puppet CA cert.
Not the perfect idea, but should alleviate the need to resign every cert.
What you need from existing puppet ssl directory:
ca/ca_crt.pem
ca/ca_key.pem
Create an openssl.cnf:
[ca]
default_ca = CA_default # The default ca section
[CA_default]
database = ./index.txt # index file.
new_certs_dir = ./newcerts # new certs dir
certificate = ./ca/ca_crt.pem
serial = ./serial
default_md = sha1 # md to use
policy = CA_policy # default policy
email_in_dn = no # Don't add the email
name_opt = ca_default # SubjectName display option
cert_opt = ca_default # Certificate display option
x509_extensions = CA_extensions
[CA_policy]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[CA_extensions]
nsComment = "Puppet Cert: manual."
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
keyUsage = keyCertSign, cRLSign
Create an empty index.txt file, and a new serial number 00
mkdir newcerts
touch index.txt
echo 00 > serial
Converting existing certificate to a CSR and resign certificate:
openssl x509 -x509toreq -in certs/ca.pem -signkey ca/ca_key.pem -out certreq.csr
openssl ca -in certreq.csr -keyfile ca/ca_key.pem -days 3650 -out newcert.pem -config ./openssl.cnf
Verify new cert vs. old cert:
openssl x509 -text -noout -in certs/ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: pe-master
Validity
Not Before: Apr 4 09:21:26 2011 GMT
Not After : Apr 2 09:21:26 2016 GMT
Subject: CN=Puppet CA: pe-master
openssl x509 -text -noout -in newcert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: pe-master
Validity
Not Before: May 22 19:08:44 2011 GMT
Not After : May 19 19:08:44 2021 GMT
Subject: CN=Puppet CA: pe-master
Make sure the new CA certificate validates existing certificate:
# openssl verify -CAfile ./certs/ca.pem ca/signed/pe-agent.pem
certs/foo.pem: OK
# openssl verify -CAfile ./newcert.pem ca/signed/pe-agent.pem
certs/foo.pem: OK
Replace existing ca cert with new cert.
cd /etc/puppetlabs/puppet/ssl
cp ca/ca_crt.pem{,.bak}
cp newcert.pem ca/ca_crt.pem
Remove CA.pem cert on agent, and it should fetch new ca certificate:
rm /etc/puppetlabs/puppet/ssl/certs/ca.pem
puppet agent -t --noop
info: Caching certificate for ca
...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment