Use a custom SSL certificate for the console
The console uses a certificate signed by PE's built-in certificate authority (CA). Because this CA is specific to PE, web browsers don't know it or trust it, and you have to add a security exception in order to access the console. You might find that this is not an acceptable scenario and want to use a custom CA to create the console's certificate.
Before you begin
- You should have a X.509 cert, signed by the custom party CA, in PEM format, with matching private and public keys.
- If your custom cert is issued by an intermediate CA, the CA bundle needs to contain a complete chain, including the applicable root CA.
- The keys and certs used in this procedure must be in PEM format.

- Retrieve the custom certificate and private key.
-
Move the certificate to
/etc/puppetlabs/puppet/ssl/certs/console-cert.pem
, replacing any existing file namedconsole-cert.pem
. -
Move the private key to
/etc/puppetlabs/puppet/ssl/private_keys/console-cert.pem
, replacing any existing file namedconsole-cert.pem
. -
If you previously specified a custom SSL certificate, remove any
browser_ssl_cert
andbrowser_ssl_private_key
parameters.- In the console, click Node groups, and in the PE Infrastructure group, select the PE Console group.
-
On the Configuration data tab, in the
puppet_enterprise::profile::console class, remove any
values for
browser_ssl_cert
andbrowser_ssl_private_key
and commit changes.
-
Run Puppet:
puppet agent -t
Results
You can navigate to your console and see the custom certificate in your browser.