Use a custom SSL certificate for the console

Sections

The console uses a certificate signed by PE's built-in certificate authority (CA). Because this CA is specific to PE, web browsers don't know it or trust it, and you have to add a security exception in order to access the console. You might find that this is not an acceptable scenario and want to use a custom CA to create the console's certificate.

Before you begin
  • You should have a X.509 cert, signed by the custom party CA, in PEM format, with matching private and public keys.
  • If your custom cert is issued by an intermediate CA, the CA bundle needs to contain a complete chain, including the applicable root CA.
  • The keys and certs used in this procedure must be in PEM format.


  1. Retrieve the custom certificate and private key.
  2. Move the certificate to /etc/puppetlabs/puppet/ssl/certs/console-cert.pem, replacing any existing file named console-cert.pem.
  3. Move the private key to /etc/puppetlabs/puppet/ssl/private_keys/console-cert.pem, replacing any existing file named console-cert.pem.
  4. If you previously specified a custom SSL certificate, remove any browser_ssl_cert and browser_ssl_private_key parameters.
    1. In the console, click Node groups, and in the PE Infrastructure group, select the PE Console group.
    2. On the Configuration data tab, in the puppet_enterprise::profile::console class, remove any values for browser_ssl_cert and browser_ssl_private_key and commit changes.
  5. Run Puppet: puppet agent -t
Results

You can navigate to your console and see the custom certificate in your browser.

How helpful was this page?

If you leave us your email, we may contact you regarding your feedback. For more information on how Puppet uses your personal information, see our privacy policy.

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.