Regenerate the SAML certificate

By default, the SAML certificate expires every 824 days. Regenerate the certificate when it is nearing or past expiration.

To check the expiry date of your current certificate, run this command on your primary server:

/opt/puppetlabs/puppet/bin/openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/saml-cert.pem -noout -startdate -enddate

To generate a new SAML certificate, remove the existing certificate. After you remove the existing certificate, a new one is generated automatically on the next Puppet run.

Remove the existing SAML certificate.
On the primary server, run both these commands:
```
puppet ssl clean --certname saml-cert
puppetserver ca clean --certname saml-cert
```
Run Puppet to generate a new certificate.
On the primary server, run:
```
puppet agent -t
```
Alternatively, you can wait for the next Puppet run.

Was this page helpful?

We’re sorry to hear that!
Please tell us why so we can help. Enter your feedback and email. This form is sent to the Puppet docs team. We ask for your email as we might contact you regarding your feedback. If you need help with the product itself, visit Puppet Support or ask in Puppet Community on Slack. Feedback:

Email Address:

To learn about how Puppet uses your personal information, visit our privacy policy.

If you leave us your email, we may contact you regarding your feedback. For more information on how Puppet uses your personal information, see our privacy policy.

See an issue? Please file a JIRA ticket in our [DOCUMENTATION] project.