Skip to main content

Renewing Puppet CA and puppet master certificates

My two Puppet deployments are just about to turn 5 years old, and as such, the CA and puppet master certificates are just about to expire.

The documentation online seem to suggest the only way to renew these certs is by deleting the /var/lib/puppet/ssl directory and getting Puppet to renew them. This would mean renewing all the certificates of all the nodes at the same time. Even the official Puppet docs suggest this is the way too.(

The way I will describe renews the CA certificate and puppetmaster certificate in a way which is still trusted by every existing host.

  1. First, copy the important files to a new directory
  2. # mkdir /root/puppet_renewal
    # cd /root/puppet_renewal
    # mkdir /root/puppet_renewal/ca
    # mkdir /root/puppet_renewal/puppetmaster
    # mkdir /root/puppet_renewal/puppetmaster/private_keys
    # mkdir /root/puppet_renewal/puppetmaster/certs
    # cp /var/lib/puppet/ssl/ca/ca_key.pem /root/puppet_renewal/ca
    # cp /var/lib/puppet/ssl/private_keys/mypuppetmaster.mydomain.pem /root/puppet_renewal/puppetmaster/private_keys
  3. Get the important information from the existing CA and puppet master certificate
  4. # openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -subject
    subject= /CN=Puppet CA: mypuppetmaster.mydomain
    # openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -serial
    # openssl x509 -in /var/lib/puppet/ssl/certs/mypuppetmaster.mydomain.pem -noout -certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux
            X509v3 extensions:
                X509v3 Basic Constraints:
                X509v3 Subject Key Identifier:
                Netscape Comment:
                    Puppet Ruby/OpenSSL Internal Certificate
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Extended Key Usage: critical
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Subject Alternative Name:
                    DNS:mypuppetmaster.mydomain, DNS:puppet, DNS:puppet.mydomain
  5. Make the openssl config file
  6. # cat << EOF > /root/puppet_renewal/renewpuppet.cnf
    [ v3_ca ]
    basicConstraints= CA:TRUE
    subjectKeyIdentifier= hash
    #authorityKeyIdentifier= keyid:always,issuer:always
    keyUsage = critical, cRLSign, keyCertSign
    nsComment = 'Puppet Ruby/OpenSSL Internal Certificate'
    [ v3 ]
    basicConstraints= CA:FALSE
    subjectKeyIdentifier= hash
    nsComment = 'Puppet Ruby/OpenSSL Internal Certificate'
    keyUsage = critical, digitalSignature, keyEncipherment
    extendedKeyUsage = critical, serverAuth, clientAuth
    subjectAltName = @alt_names
    [ alt_names ]
    DNS.1 = mypuppetmaster.mydomain
    DNS.2 = puppet
    DNS.3 = puppet.mydomain
  7. Make a CSR using your existing CA key, and make the new CA cert
  8. # openssl req -out /root/puppet_renewal/ca/ca_new.csr -key /root/puppet_renewal/ca/ca_key.pem -new -batch -subj "/CN=Puppet CA: mypuppetmaster.mydomain"
    # openssl x509 -req -days 3650 -in /root/puppet_renewal/ca/ca_new.csr -signkey /root/puppet_renewal/ca/ca_key.pem -out /root/puppet_renewal/ca/ca_crt.pem -extfile /root/puppet_renewal/renewpuppet.cnf -extensions v3_ca -set_serial 1
  9. Find the next serial number for the existing CA
  10. # echo $((0x`cat /var/lib/puppet/ssl/ca/serial`))
  11. Make a CSR using your existing puppet server key, and make the new puppet server certificate
  12. # openssl req -out /root/puppet_renewal/mypuppetmaster.csr -key /root/puppet_renewal/puppetmaster/private_keys/mypuppetmaster.mydomain.pem -new -batch -subj "/CN=mypuppetmaster.mydomain"
    # openssl x509 -extfile /root/puppet_renewal/renewpuppet.cnf -extensions v3 -req -days 1825 -in /root/puppet_renewal/mypuppetmaster.csr -CA /root/puppet_renewal/ca/ca_crt.pem -CAkey /root/puppet_renewal/ca/ca_key.pem -CAcreateserial -out /root/puppet_renewal/puppetmaster/certs/mypuppetmaster.mydomain.pem -sha256 -set_serial 603
So, now you have an updated CA certificate, and the new puppetmaster cert. Copy them into place, and restart the service
# /etc/init.d/httpd stop
# cp /root/puppet_renewal/ca/ca_crt.pem /var/lib/puppet/ssl/ca/ca_crt.pem
# cp /root/puppet_renewal/ca/ca_crt.pem /var/lib/puppet/ssl/certs/ca.pem
# cp /root/puppet_renewal/puppetmaster/certs/mypuppetmaster.mydomain.pem /var/lib/puppet/ssl/certs/mypuppetmaster.mydomain.pem
# /etc/init.d/httpd start


Popular posts from this blog

Compiling tun.ko for Android - OpenVPN

I have a Xoom, and a Galaxy S, and need to be able to compile my own tun.ko for the kernel version I have. As you all know, if the kernel version of the module you are trying to insert isn't the same, it won't insert, and will give you errors like:

<3>[95175.874872] tun: version magic ' SMP preempt mod_unload ARMv7 ' should be ' SMP preempt mod_unload ARMv7 '

in dmesg. We need to compile the module for the right version of the kernel

Download the Kernel source - normally from The Xoom can be found at, and the Galaxy S can be found at Use

$ pwd
$ git clone to clone the Xoom kernel sourceCopy your old kernel config from your device

$ pwd
$ adb pull /proc/config.gz
$ gunzip config.gz
$ mv config.gz tegr…

Preseeding Ubuntu Natty 11.04

I decided to start this blog because of the never ending battles I have with remembering what I have conquered before, and thinking that other people have the same problems.

The specific problem I was working on when I came to this conclusion was preseeding a Natty netboot install. EVERY version of Ubuntu brings more preseeding problems - something always changes, causing you to get prompted for something new, when the previous release worked without a hitch.
This time (going from Lucid to Natty) was the keyboard layout preseed. I got the dreaded keyboard layout screen.
Turns out the preseed file is only looked at once the locale is set (makes sense), so you have to pass the keyboard config in the kernel line of your PXE boot:
LABEL stuff_natty64kernel linux.natty64append vga=normal initrd=initrd.gz.natty64 locale=en_AU preseed/locale=en_AU keyboard-configuration/layoutcode=us console-setup/ask_detect=false netcfg/wireless_wep= netcfg/choose_interface=auto netcfg/get_hostname= netcfg/ge…

2gb deb package limit

I have been creating Matlab 2011b deb packages for my Ubuntu fleet, and have encountered problems as apt currently doesn't like packages > 2gb. You get errors like:

size mismatch


something went wrong

and negative sizes during the download and install of the deb package. There is currently open bugs dealing with fixing it, but in the mean time, I have figured out a nice way to get around it. Change the default compression!

Instead of:

dpkg-deb -b <folder> <deb package name>


dpkg-deb -Zlzma -b <folder> <deb package name>

It shrunk my 2.4gb deb package to 1.95gb, and hence doesn't fall foul of the 2gb size limit!