Created
September 5, 2013 21:26
-
-
Save kbarber/6456420 to your computer and use it in GitHub Desktop.
Renewing a Puppet CA cert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Renew Puppet CA cert. | |
Not the perfect idea, but should alleviate the need to resign every cert. | |
What you need from existing puppet ssl directory: | |
ca/ca_crt.pem | |
ca/ca_key.pem | |
Create an openssl.cnf: | |
[ca] | |
default_ca = CA_default # The default ca section | |
[CA_default] | |
database = ./index.txt # index file. | |
new_certs_dir = ./newcerts # new certs dir | |
certificate = ./ca/ca_crt.pem | |
serial = ./serial | |
default_md = sha1 # md to use | |
policy = CA_policy # default policy | |
email_in_dn = no # Don't add the email | |
name_opt = ca_default # SubjectName display option | |
cert_opt = ca_default # Certificate display option | |
x509_extensions = CA_extensions | |
[CA_policy] | |
countryName = optional | |
stateOrProvinceName = optional | |
organizationName = optional | |
organizationalUnitName = optional | |
commonName = supplied | |
emailAddress = optional | |
[CA_extensions] | |
nsComment = "Puppet Cert: manual." | |
basicConstraints = CA:TRUE | |
subjectKeyIdentifier = hash | |
keyUsage = keyCertSign, cRLSign | |
Create an empty index.txt file, and a new serial number 00 | |
mkdir newcerts | |
touch index.txt | |
echo 00 > serial | |
Converting existing certificate to a CSR and resign certificate: | |
openssl x509 -x509toreq -in certs/ca.pem -signkey ca/ca_key.pem -out certreq.csr | |
openssl ca -in certreq.csr -keyfile ca/ca_key.pem -days 3650 -out newcert.pem -config ./openssl.cnf | |
Verify new cert vs. old cert: | |
openssl x509 -text -noout -in certs/ca.pem | |
Certificate: | |
Data: | |
Version: 3 (0x2) | |
Serial Number: 1 (0x1) | |
Signature Algorithm: sha1WithRSAEncryption | |
Issuer: CN=Puppet CA: pe-master | |
Validity | |
Not Before: Apr 4 09:21:26 2011 GMT | |
Not After : Apr 2 09:21:26 2016 GMT | |
Subject: CN=Puppet CA: pe-master | |
openssl x509 -text -noout -in newcert.pem | |
Certificate: | |
Data: | |
Version: 3 (0x2) | |
Serial Number: 1 (0x1) | |
Signature Algorithm: sha1WithRSAEncryption | |
Issuer: CN=Puppet CA: pe-master | |
Validity | |
Not Before: May 22 19:08:44 2011 GMT | |
Not After : May 19 19:08:44 2021 GMT | |
Subject: CN=Puppet CA: pe-master | |
Make sure the new CA certificate validates existing certificate: | |
# openssl verify -CAfile ./certs/ca.pem ca/signed/pe-agent.pem | |
certs/foo.pem: OK | |
# openssl verify -CAfile ./newcert.pem ca/signed/pe-agent.pem | |
certs/foo.pem: OK | |
Replace existing ca cert with new cert. | |
cd /etc/puppetlabs/puppet/ssl | |
cp ca/ca_crt.pem{,.bak} | |
cp newcert.pem ca/ca_crt.pem | |
Remove CA.pem cert on agent, and it should fetch new ca certificate: | |
rm /etc/puppetlabs/puppet/ssl/certs/ca.pem | |
puppet agent -t --noop | |
info: Caching certificate for ca | |
... | |
For the openssl.cnf
step where did you create the file?
I already have files with that name at:
/etc/ssl/openssl.cnf
/usr/lib/ssl/openssl.cnf
You create it in the "/var/lib/puppet/ssl" dir. Thats what I did.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks, this was really helpful. I have a 3.2.4 puppetmaster (el6) and had to do these additional steps:
on puppetmaster:
on puppet client:
and in a few cases I got
400
&pson
errors, in which case I had to re-runpuppet agent -t
one to three times before it would clear up.