Skip to content

Instantly share code, notes, and snippets.

@kbarber
Created September 5, 2013 21:26
Show Gist options
  • Save kbarber/6456420 to your computer and use it in GitHub Desktop.
Save kbarber/6456420 to your computer and use it in GitHub Desktop.
Renewing a Puppet CA cert
Renew Puppet CA cert.
Not the perfect idea, but should alleviate the need to resign every cert.
What you need from existing puppet ssl directory:
ca/ca_crt.pem
ca/ca_key.pem
Create an openssl.cnf:
[ca]
default_ca = CA_default # The default ca section
[CA_default]
database = ./index.txt # index file.
new_certs_dir = ./newcerts # new certs dir
certificate = ./ca/ca_crt.pem
serial = ./serial
default_md = sha1 # md to use
policy = CA_policy # default policy
email_in_dn = no # Don't add the email
name_opt = ca_default # SubjectName display option
cert_opt = ca_default # Certificate display option
x509_extensions = CA_extensions
[CA_policy]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[CA_extensions]
nsComment = "Puppet Cert: manual."
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
keyUsage = keyCertSign, cRLSign
Create an empty index.txt file, and a new serial number 00
mkdir newcerts
touch index.txt
echo 00 > serial
Converting existing certificate to a CSR and resign certificate:
openssl x509 -x509toreq -in certs/ca.pem -signkey ca/ca_key.pem -out certreq.csr
openssl ca -in certreq.csr -keyfile ca/ca_key.pem -days 3650 -out newcert.pem -config ./openssl.cnf
Verify new cert vs. old cert:
openssl x509 -text -noout -in certs/ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: pe-master
Validity
Not Before: Apr 4 09:21:26 2011 GMT
Not After : Apr 2 09:21:26 2016 GMT
Subject: CN=Puppet CA: pe-master
openssl x509 -text -noout -in newcert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: pe-master
Validity
Not Before: May 22 19:08:44 2011 GMT
Not After : May 19 19:08:44 2021 GMT
Subject: CN=Puppet CA: pe-master
Make sure the new CA certificate validates existing certificate:
# openssl verify -CAfile ./certs/ca.pem ca/signed/pe-agent.pem
certs/foo.pem: OK
# openssl verify -CAfile ./newcert.pem ca/signed/pe-agent.pem
certs/foo.pem: OK
Replace existing ca cert with new cert.
cd /etc/puppetlabs/puppet/ssl
cp ca/ca_crt.pem{,.bak}
cp newcert.pem ca/ca_crt.pem
Remove CA.pem cert on agent, and it should fetch new ca certificate:
rm /etc/puppetlabs/puppet/ssl/certs/ca.pem
puppet agent -t --noop
info: Caching certificate for ca
...
@bill-mcgonigle
Copy link

Thanks, this was really helpful. I have a 3.2.4 puppetmaster (el6) and had to do these additional steps:

on puppetmaster:

cp ca/ca_crt.pem ca/ca_pub.pem
mv signed/puppetmaster-fqdn.pem{,.bak}
service puppetmaster restart

on puppet client:

sudo rm var/lib/puppet/ssl/crl.pem
sudo puppet agent -t

and in a few cases I got 400 & pson errors, in which case I had to re-run puppet agent -t one to three times before it would clear up.

@kirkins
Copy link

kirkins commented Jan 25, 2018

For the openssl.cnf step where did you create the file?

I already have files with that name at:

/etc/ssl/openssl.cnf
/usr/lib/ssl/openssl.cnf

@sinaowolabi
Copy link

You create it in the "/var/lib/puppet/ssl" dir. Thats what I did.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment