Step 3: Clear and regenerate certs for Puppet agents
To replace the certs on agents, you’ll need to log into each agent node and do the following steps.
- Stop the agent
service. On *nix:
sudo puppet resource service puppet ensure=stopped
On Windows, with Administrator privileges:puppet resource service puppet ensure=stopped
- Locate Puppet’s SSL
directory and delete its
contents.
The SSL directory can be determined by running
puppet config print ssldir --section agent - Restart the
agent service. On *nix:
sudo puppet resource service puppet ensure=running
On Windows, with Administrator privileges:puppet resource service puppet ensure=running
When the agent starts, it generates keys and requests a new certificate from the CA primary server.
- If you are not using autosigning, log in to the CA primary server and sign each agent
node’s certificate request.
To view pending requests, run:
sudo puppetserver ca list
To sign requests, run:
sudo puppetserver ca sign --certname <NAME>
After an agent node’s new certificate is signed, it's retrieved within a few minutes and a Puppet run starts.
After you have regenerated all agents’ certificates, everything will be fully functional under the new CA.