Regenerate agent certificates

Regenerate *nix or Windows agent certificates to fix a compromised certificate or troubleshoot SSL errors on agents, or if you recreated your certificate authority.

On your primary server, log in as root (or the administrator), and run the following command. Specify any additional parameters required for your environment and use case.

puppet infrastructure run regenerate_agent_certificate agent=<AGENT_HOSTNAME_1>,<AGENT_HOSTNAME_2>

• If you use DNS alternative names: Specify dns_alt_names as a comma-separated list of names to add to agent certificates.
  To ensure naming consistency, if your puppet.conf file includes a dns_alt_names entry, you must include the dns_alt_names parameter and pass in all alternative names included in the entry when regenerating your agent certificates.
• If you recreated your certificate authority or can't connect to nodes with the orchestrator: Specify clean_crl=true and --use-ssh, as well as any additional parameters needed to connect over SSH.
• If you want to use a PuppetDB query to generate certificates for multiple agents: Specify the agent_pdb_query parameter to provide a query to use to collect a list of agents for which you want to regenerate certificates. Make sure the query only returns certnames, such as:

  facts[certname] { name='domain' and value ~ 'agent.node.com' }

  If you specify both agent and agent_pdb_query, the query results are combined with the specified agents.

• If you want to include custom attributes or extension requests in regenerated certificates: Ensure that agents have the csr_attributes.yaml file containing the necessary custom attributes and extension requests, or specify the optional custom_attributes and extension_requests parameters in the plan. For example:

  puppet infrastructure run regenerate_agent_certificate agent=<agent_certname> extension_requests='{"pp_environment": "development"}'

  For more information, see CSR attributes and certificate extensions.