Managing certificate signing requests
When you install a Puppet agent on a node, the agent must submit a certificate signing request (CSR) to the primary server, and you must accept the CSR to add the node to your Puppet Enterprise (PE) inventory. Accepting the CSR allows Puppet to run on the node and enforce your configuration, which in turn adds node information to PuppetDB and makes the node available throughout the PE console.
If you Install agents from the console, the agent automatically submits a
certificate signing request (CSR) to the primary server. If you use another method, such
as Install agents with the install script, you
might need to run puppet
to generate the CSR after
installing the agent.
If necessary after installing the agent, you can edit the node's certname
or other CSR attribute settings in the node's puppet.conf
and csr_attributes.yaml
files. You can edit the puppet.conf
file directly (at
/etc/puppetlabs/puppet/puppet.conf
) or use the puppet
config set
sub-command. For example, to set the certname
for the agent, run /opt/puppetlabs/bin/puppet config set
certname agent.example.com
. For more information about puppet.conf
and csr_attributes.yaml
, go to Customize the install script
(This page is about setting these properties with the agent install script, but you can
edit these properties after installing the agent).
For information about configuring the certificate authority to automatically sign certain CSRs, refer to Autosigning certificate requests in the Puppet documentation.
Managing CSRs in the console
In the Puppet Enterprise (PE) console, you can accept or reject CSRs individually or in batches.
- In the console, go to .
- To manage an individual CSR, click Accept or Reject.
- To manage all unsigned CSRs at once, click Accept All or
Reject All. Important: Stay on this page while the CSRs are processed. Nodes are processed in batches, and closing your browser or navigating to another page stops the process after the current batch.
- To make the node available in the console, manually start a Puppet run or wait for the next scheduled Puppet run.
Managing CSRs on the command line
You can use the command line to view and sign individual CSRs.
These instructions use *nix commands. For Windows, run the commands in an administrator command
prompt without sudo
.
- To view pending CSRs, run:
sudo puppetserver ca list
-
To sign a CSR, run:
sudo puppetserver ca sign --certname <NAME>
You can use the Puppet Server CA CLI to sign certificates with altnames or auth extensions by default.
- To make the node available in the console, run
puppet agent -t
or wait for the next scheduled Puppet run.