Regenerating certificates in a Puppet deployment
In some cases, you might need to regenerate the certificates and security credentials (private and public keys) that are generated by Puppet’s built-in PKI systems.
For example, you might have a Puppet primary server you need to move to a different network in your infrastructure, or you might have experienced a security vulnerability that makes existing credentials untrustworthy.
There are other, more automated ways of doing this. We recommend using
Bolt to regenerate certs when needed. See the
Bolt documentation for more information. There is also a
supported ca_extend module, which you can use to
extend the expiry date of a certificate authority (CA).
The information on this page describes the
steps for regenerating certs in an open source Puppet
deployment. If you use Puppet Enterprise do not use
the information on this page, as it leaves you with an incomplete replacement and
non-functional deployment. Instead, PE customers
must refer to one of the following pages:
| If your goal is to... | Do this... |
|---|---|
| Regenerate an agent’s certificate | |
| Fix a compromised or damaged certificate authority | |
| Completely regenerate all Puppet deployment certificates | |
| Add DNS alt-names or other certificate extensions to your existing Puppet primary server | Regenerate the agent certificate of your Puppet primary server and add DNS alt-names or other certificates |