Install Windows agents using a manually-transferred certificate

If you need to perform a secure installation on Windows nodes, you can manually transfer the primary server CA certificate to any Windows machines you want to install agents on, and then run a variation of the agent install script against that cert.

1. Transfer the CA certificate:
   1. On the machine where you want to install the agent, create this directory: C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs\
   2. On the primary server, navigate to: /etc/puppetlabs/puppet/ssl/certs/
   3. Copy ca.pem to the certs directory you created on the agent node.
2. Transfer the agent install script:
   1. On the primary server, navigate to: /opt/puppetlabs/server/data/packages/public/
   2. Copy install.ps1 to any accessible local directory on the agent node.
3. In an administrative PowerShell window, run the install script with the -UsePuppetCA flag: .\install.ps1 -UsePuppetCA
4. Run puppet agent -t to add the node to the node inventory and generate the CSR.
5. Accept the CSR as explained in Managing certificate signing requests.