Managing certificate signing requests

When you install a Puppet agent on a node, the agent must submit a certificate signing request (CSR) to the primary server, and you must accept the CSR to add the node to your Puppet Enterprise (PE) inventory. Accepting the CSR allows Puppet to run on the node and enforce your configuration, which in turn adds node information to PuppetDB and makes the node available throughout the PE console.

If you Install agents from the console, the agent automatically submits a certificate signing request (CSR) to the primary server. If you use another method, such as Install agents with the install script, you might need to run puppet to generate the CSR after installing the agent.

You can accept CSRs from the PE console or the command line.

For agent nodes that use DNS altnames, you must use the command line to accept the CSR.

If necessary after installing the agent, you can edit the node's certname or other CSR attribute settings in the node's puppet.conf and csr_attributes.yaml files. You can edit the puppet.conf file directly (at /etc/puppetlabs/puppet/puppet.conf) or use the puppet config set sub-command. For example, to set the certname for the agent, run /opt/puppetlabs/bin/puppet config set certname agent.example.com. For more information about puppet.conf and csr_attributes.yaml, go to Customize the install script (This page is about setting these properties with the agent install script, but you can edit these properties after installing the agent).

For information about configuring the certificate authority to automatically sign certain CSRs, refer to Autosigning certificate requests in the Puppet documentation.