homeblogextend expiration date puppets certificate authority using bolt

Extend the expiration date of Puppet’s Certificate Authority using Bolt

Working as a support engineer at Puppet can present a unique perspective on the issues encountered by users and an opportunity to solve or prevent them from occurring. In this instance, I noticed that there were a number of Puppet Enterprise customers who were surprised to find themselves with an expired Certificate Authority and a nonfunctional Puppet infrastructure, as well as a less than stellar experience in resolving the issue. This led me to develop a module for use with Bolt to detect and more easily solve this.

If you have been operating a Puppet Enterprise installation for several years, install and use the check_ca_expiry task today!


The Certificate Authority (CA) is the part of Puppet Server that handles signing and revoking agent certificates. It includes a signed certificate that is issued to every node to prove that it has been authenticated by the CA. When this certificate expires, the CA will no longer trust agents, which effectively renders Puppet inoperable. Fortunately, there is a way to generate a new certificate using the existing private key, which essentially renews the existing certificate.

The old way

Our previous recommendation was to use the certregen module, but this is now deprecated with the introduction of the puppetserver ca command in Puppet 6. Because this heavily relied on an SSH wrapper, it wasn't ideal for Windows nodes and could only be run on the master, meaning you needed ssh access from your master to all agents.

Enter Bolt

The use case for Bolt in this situation was a no-brainer. Extending the CA is a one-time action that needs to be agentless, as the services required to communicate with agents will be nonfunctional if the CA has expired. It also supports both ssh and WinRM transport protocols and can be performed from any workstation with the appropriate level of access. Thus was born the ca_extend module.


First, let’s check the expiration date of our CA cert.

Let’s pretend that date has already passed or is right around the corner. We can use the Plan to extend the CA cert and configure the master, compilers, and infrastructure nodes such as separate PuppetDB nodes to use it. Include any separate infrastructure nodes in the compile_masters parameter.

The new cert is dumped to /tmp/ on our machine, which we can ship off to agents with another plan. This plan will detect whether the agent is *nix or Windows and upload the cert to the appropriate directory.

It’s that simple. Try it yourself! Go check the expiration date of your CA cert today.

Adrian Parreiras Horta is a support engineer at Puppet.

Learn more