Regenerate the agent certificate of your Puppet primary server and add DNS alt-names or other certificate extensions
This option preserves the primary server/agent relationship and lets you add DNS alt-names or certificate extensions to your existing primary server.
- Revoke the Puppet
primary server’s certificate and clean the CA files pertaining to it. Note that the
agents won’t be able to connect to the primary server until all of the following steps
are finished.
puppetserver ca clean --certname <CERTNAME_OF_YOUR_SERVER>
- Remove the agent-specific copy of the public key,
private key, and certificate-signing request pertaining to the
certificate:
puppet ssl clean
- Stop the Puppet
primary server service:
puppet resource service puppetserver ensure=stopped
The CA and server run in the same primary server so this also stops the CA. - After you’ve stopped the primary server and CA service,
create a certificate signed by the CA and add DNS alt names (comma
separated):
puppetserver ca generate --certname <CERTNAME> --subject-alt-names <DNS ALT NAMES> --ca-client
- If you don’t want to add DNS alt names to your primary server, omit
the
--subject-alt-names <DNS ALT NAMES>option from the command above. - Although this particular use of the
generatecommand requires you to stoppuppetserverservice, all other uses of this command require the service to be running. - If the tool cannot determine the status of the server, but you know
the server is offline, you can use the
--forceoption to run the command without checking server status.
- If you don’t want to add DNS alt names to your primary server, omit
the
- Restart the Puppet
primary server service:
puppet resource service puppetserver ensure=running