Renewing Puppet CA and puppet master certificates

My two Puppet deployments are just about to turn 5 years old, and as such, the CA and puppet master certificates are just about to expire.

The documentation online seem to suggest the only way to renew these certs is by deleting the /var/lib/puppet/ssl directory and getting Puppet to renew them. This would mean renewing all the certificates of all the nodes at the same time. Even the official Puppet docs suggest this is the way too.(https://docs.puppet.com/puppet/3.7/ssl_regenerate_certificates.html)

The way I will describe renews the CA certificate and puppetmaster certificate in a way which is still trusted by every existing host.


  1. First, copy the important files to a new directory
  2. # mkdir /root/puppet_renewal
    # cd /root/puppet_renewal
    # mkdir /root/puppet_renewal/ca
    # mkdir /root/puppet_renewal/puppetmaster
    # mkdir /root/puppet_renewal/puppetmaster/private_keys
    # mkdir /root/puppet_renewal/puppetmaster/certs
    # cp /var/lib/puppet/ssl/ca/ca_key.pem /root/puppet_renewal/ca
    # cp /var/lib/puppet/ssl/private_keys/mypuppetmaster.mydomain.pem /root/puppet_renewal/puppetmaster/private_keys
    
  3. Get the important information from the existing CA and puppet master certificate
  4. # openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -subject
    subject= /CN=Puppet CA: mypuppetmaster.mydomain
    # openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -serial
    serial=01
    # openssl x509 -in /var/lib/puppet/ssl/certs/mypuppetmaster.mydomain.pem -noout -certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                X509v3 Subject Key Identifier:
                    9B:17:02:F9:36:44:C7:42:F9:67:45:70:55:C2:AD:FB:6F:83:2B:0A
                Netscape Comment:
                    Puppet Ruby/OpenSSL Internal Certificate
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Extended Key Usage: critical
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Subject Alternative Name:
                    DNS:mypuppetmaster.mydomain, DNS:puppet, DNS:puppet.mydomain
    
  5. Make the openssl config file
  6. # cat << EOF > /root/puppet_renewal/renewpuppet.cnf
    [ v3_ca ]
    basicConstraints= CA:TRUE
    subjectKeyIdentifier= hash
    #authorityKeyIdentifier= keyid:always,issuer:always
    keyUsage = critical, cRLSign, keyCertSign
    nsComment = 'Puppet Ruby/OpenSSL Internal Certificate'
    
    [ v3 ]
    basicConstraints= CA:FALSE
    subjectKeyIdentifier= hash
    nsComment = 'Puppet Ruby/OpenSSL Internal Certificate'
    keyUsage = critical, digitalSignature, keyEncipherment
    extendedKeyUsage = critical, serverAuth, clientAuth
    subjectAltName = @alt_names
    
    [ alt_names ]
    DNS.1 = mypuppetmaster.mydomain
    DNS.2 = puppet
    DNS.3 = puppet.mydomain
    EOF
    
  7. Make a CSR using your existing CA key, and make the new CA cert
  8. # openssl req -out /root/puppet_renewal/ca/ca_new.csr -key /root/puppet_renewal/ca/ca_key.pem -new -batch -subj "/CN=Puppet CA: mypuppetmaster.mydomain"
    # openssl x509 -req -days 3650 -in /root/puppet_renewal/ca/ca_new.csr -signkey /root/puppet_renewal/ca/ca_key.pem -out /root/puppet_renewal/ca/ca_crt.pem -extfile /root/puppet_renewal/renewpuppet.cnf -extensions v3_ca -set_serial 1
    
  9. Find the next serial number for the existing CA
  10. # echo $((0x`cat /var/lib/puppet/ssl/ca/serial`))
    603
    
  11. Make a CSR using your existing puppet server key, and make the new puppet server certificate
  12. # openssl req -out /root/puppet_renewal/mypuppetmaster.csr -key /root/puppet_renewal/puppetmaster/private_keys/mypuppetmaster.mydomain.pem -new -batch -subj "/CN=mypuppetmaster.mydomain"
    # openssl x509 -extfile /root/puppet_renewal/renewpuppet.cnf -extensions v3 -req -days 1825 -in /root/puppet_renewal/mypuppetmaster.csr -CA /root/puppet_renewal/ca/ca_crt.pem -CAkey /root/puppet_renewal/ca/ca_key.pem -CAcreateserial -out /root/puppet_renewal/puppetmaster/certs/mypuppetmaster.mydomain.pem -sha256 -set_serial 603
    
So, now you have an updated CA certificate, and the new puppetmaster cert. Copy them into place, and restart the service
# /etc/init.d/httpd stop
# cp /root/puppet_renewal/ca/ca_crt.pem /var/lib/puppet/ssl/ca/ca_crt.pem
# cp /root/puppet_renewal/ca/ca_crt.pem /var/lib/puppet/ssl/certs/ca.pem
# cp /root/puppet_renewal/puppetmaster/certs/mypuppetmaster.mydomain.pem /var/lib/puppet/ssl/certs/mypuppetmaster.mydomain.pem
# /etc/init.d/httpd start

Comments

Popular posts from this blog

Compiling tun.ko for Android - OpenVPN

Preseeding Ubuntu Natty 11.04