Generate Comply certificates in PE

You need to generate certificates for Comply in Puppet Enterprise (PE) to enable automatic upgrades of the CIS-CAT assessor and for tasks to upload reports.

Before you begin
Make sure you have configured Comply in Puppet Application Manager (PAM).
This process involves generating certificates in Puppet Enterprise (PE) and setting up Mutual Transport Layer Security (MTLS) in Puppet Application Manager (PAM). MTLS enables a secure authenticated connection between your nodes and Comply.
  1. SSH into your PE primary server and generate the certificates:
    puppetserver ca generate --certname <COMPLY-HOSTNAME>
    This command does the following:
    • Saves the private key to /etc/puppetlabs/puppet/ssl/private_keys/<COMPLY-HOSTNAME>.pem
    • Saves the certificate to /etc/puppetlabs/puppet/ssl/certs/<COMPLY-HOSTNAME>.pem
  2. Log in to Puppet Application Manager, click on the Version history tab, and click Check for update.
  3. Click on the Config tab, and scroll down to Transport layer security (TLS) certificates to interact with PE.
  4. Upload the signed certificate public key, the private key files, and the CA certificate, with the following locations:
    • Paste the contents of /etc/puppetlabs/puppet/ssl/certs/<COMPLY-HOSTNAME>.pem to the TLS certificate field.
    • Paste the contents of /etc/puppetlabs/puppet/ssl/private_keys/<COMPLY-HOSTNAME>.pem to the TLS private key field.
    • Paste the contents of /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem to the CA certificate field.
      Note: To host the assessor on your own supported cluster via NGINX ingress, click the Bring your own NGINX ingress check box and enter the FQDN in the PE TLS FQDN field — using the same FQDN that you used to generate the TLS certificates.
  5. Click Save Config.
What to do next
Install the comply module.