Regenerating certificates in a Puppet deployment
In some cases, you might need to regenerate the certificates and security credentials (private and public keys) that are generated by Puppet’s built-in PKI systems.
For example, you might have a Puppet primary server you need to move to a different network in your infrastructure, or you might have experienced a security vulnerability that makes existing credentials untrustworthy.
puppetlabs-certregen
module but is not supported with Puppet Server 6. If your goal is to... | Do this... |
---|---|
Regenerate an agent’s certificate | |
Fix a compromised or damaged certificate authority | |
Completely regenerate all Puppet deployment certificates | |
Add DNS alt-names or other certificate extensions to your existing Puppet primary server | Regenerate the agent certificate of your Puppet primary server and add DNS alt-names or other certificates |
Regenerate the agent certificate of your Puppet primary server and add DNS alt-names or other certificate extensions
This option preserves the primary server/agent relationship and lets you add DNS alt-names or certificate extensions to your existing primary server.
Regenerate the CA and all certificates
Step 1: Clear and regenerate certs on your primary Puppet server
On the primary server hosting the CA:
You have a new CA certificate and key.
Your primary server has a certificate from the new CA, and it can field new certificate requests.
The primary server rejects any requests for configuration catalogs from nodes that haven’t replaced their certificates. At this point, it is all of them except itself.
When using any extensions that rely on Puppet certificates, like PuppetDB, the primary server won’t be able to communicate with them. Consequently, it might not be able to serve catalogs, even to agents that do have new certificates.
Step 2: Clear and regenerate certs for any extension
You might be using an extension, like PuppetDB or MCollective, to enhance Puppet. These extensions probably use certificates from Puppet’s CA in order to communicate securely with the primary Puppet server. For each extension like this, you’ll need to regenerate the certificates it uses.
Many tools have scripts or documentation to help you set up SSL, and you can often just re-run the setup instructions.
PuppetDB
We recommend PuppetDB users first follow the instructions in Step 3: Clear and regenerate certs for agents, below, because PuppetDB re-uses Puppet agents’ certificates. After that, restart the PuppetDB service. See Redo SSL setup after changing certificates for more information.
Step 3: Clear and regenerate certs for Puppet agents
To replace the certs on agents, you’ll need to log into each agent node and do the following steps.
After you have regenerated all agents’ certificates, everything will be fully functional under the new CA.