Renewing a Puppet CA cert

gistfile1.txt

Renew Puppet CA cert.

Not the perfect idea, but should alleviate the need to resign every cert.

What you need from existing puppet ssl directory:
ca/ca_crt.pem
ca/ca_key.pem

Create an openssl.cnf:
[ca]
  default_ca     = CA_default            # The default ca section
 
[CA_default]
  database       = ./index.txt           # index file.
  new_certs_dir  = ./newcerts            # new certs dir 

  certificate    = ./ca/ca_crt.pem
  serial         = ./serial
  default_md     = sha1                  # md to use 
  policy         = CA_policy             # default policy
  email_in_dn    = no                    # Don't add the email
  name_opt       = ca_default            # SubjectName display option
  cert_opt       = ca_default            # Certificate display option
  x509_extensions = CA_extensions

[CA_policy]
  countryName            = optional
  stateOrProvinceName    = optional
  organizationName       = optional
  organizationalUnitName = optional
  commonName             = supplied
  emailAddress           = optional 

[CA_extensions]
  nsComment            = "Puppet Cert: manual."
  basicConstraints     = CA:TRUE
  subjectKeyIdentifier = hash
  keyUsage             = keyCertSign, cRLSign

Create an empty index.txt file, and a new serial number 00
mkdir newcerts
touch index.txt
echo 00 > serial



Converting existing certificate to a CSR and resign certificate: 
openssl x509 -x509toreq -in certs/ca.pem -signkey ca/ca_key.pem -out certreq.csr
openssl ca -in certreq.csr -keyfile ca/ca_key.pem -days 3650 -out newcert.pem -config ./openssl.cnf 

Verify new cert vs. old cert:
openssl x509 -text -noout -in certs/ca.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Puppet CA: pe-master
        Validity
            Not Before: Apr  4 09:21:26 2011 GMT
            Not After : Apr  2 09:21:26 2016 GMT
        Subject: CN=Puppet CA: pe-master

openssl x509 -text -noout -in newcert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Puppet CA: pe-master
        Validity
            Not Before: May 22 19:08:44 2011 GMT
            Not After : May 19 19:08:44 2021 GMT
        Subject: CN=Puppet CA: pe-master

Make sure the new CA certificate validates existing certificate:
# openssl verify -CAfile ./certs/ca.pem ca/signed/pe-agent.pem  
certs/foo.pem: OK
# openssl verify -CAfile ./newcert.pem ca/signed/pe-agent.pem
certs/foo.pem: OK

Replace existing ca cert with new cert.
cd /etc/puppetlabs/puppet/ssl
cp ca/ca_crt.pem{,.bak}
cp newcert.pem ca/ca_crt.pem

Remove CA.pem cert on agent, and it should fetch new ca certificate:
rm /etc/puppetlabs/puppet/ssl/certs/ca.pem
puppet agent -t --noop
info: Caching certificate for ca
...

As you create the new index.txt and reset the serial numbers – is that necessary because its a new CA? Is that new CA a drop-in replacement for the old one? Will agent certificates continue to work?

@mpdude, I would believe Yes and Yes. Just did it here and all clients are connecting fine from what I can tell.

Thanks, this was really helpful. I have a 3.2.4 puppetmaster (el6) and had to do these additional steps:

on puppetmaster:

cp ca/ca_crt.pem ca/ca_pub.pem
mv signed/puppetmaster-fqdn.pem{,.bak}
service puppetmaster restart

on puppet client:

sudo rm var/lib/puppet/ssl/crl.pem
sudo puppet agent -t

and in a few cases I got 400 & pson errors, in which case I had to re-run puppet agent -t one to three times before it would clear up.

For the openssl.cnf step where did you create the file?

I already have files with that name at:

/etc/ssl/openssl.cnf
/usr/lib/ssl/openssl.cnf

You create it in the "/var/lib/puppet/ssl" dir. Thats what I did.