Managing agent certificates

Starting in 2023.4, PE is preconfigured to allow the certificate authority service to generate new agent certificates ahead of certificate expiration dates. This default functionality helps prevent disruption associated with certificate expirations. Optionally, you can customize the behavior of the certificate authority service.

certificate_authority service parameters

These parameters customize the behavior of the PE certificate authority service in relation to agent certificates.

You can modify the following profile class parameters either in Hiera or in the Configuration data tab for the PE Certificate Authority infrastructure node group in the PE console.

puppet_enterprise::profile::certificate_authority::allow_auto_renewal
A Boolean specifying whether to allow automatic renewal of agent certificates.
Default: true
CAUTION: Certificate auto-renewal prevents disruption associated with agent certificate expirations. If you disable the certificate auto-renewal feature, you must manually regenerate agent certificates to avoid system failures when certificates expire.
puppet_enterprise::profile::certificate_authority::allow_puppetlabs_certificate_authentication
A Boolean specifying whether to allow authorization of agent certificate requests using the using the ”pp_cli_auth”: “true” certificate extension when RBAC tokens are not available. Token-based authentication is always used where RBAC tokens are available.
When the value is set to false, authorization of agent certificate requests is only permitted with RBAC token-based authentication.
Default: true
puppet_enterprise::profile::certificate_authority::auto_renewal_cert_ttl
A string representing the validity period of automatically generated agent certificates, when an agent is capable of renewing certificates and the auto-renewal feature is turned on.
The value is a duration formatted as a string consisting of a number and a suffix representing a unit of time: s (seconds), m (minutes), h (hours), d (days), or y (years).
Default: 90d
puppet_enterprise::profile::certificate_authority::ca_ttl
A string representing the default validity period of agent certificates when the auto-renewal feature is turned off.
The value is formatted as a string consisting of a number and a suffix representing a unit of time: s (seconds), m (minutes), h (hours), d (days), or y (years).
Default: 5y
puppet_enterprise::profile::certificate_authority::client_allowlist
An array of additional agent cert names that can access the certificate_status API endpoint. This list is additional to the base PE certificate list.