upgrade puppet certificates

[Ellison Marks]

I just recently spun up a new host using an old hostname, and when managing the certificates, I noticed that the newly generated cert was listed as sha256, while all of my earlier certs were listed as sha1. I guess this is a new default or something, and I like better security, so I'd like all of my hosts to use sha256. Is there any shortcut to regenerating all the certs, or do I have to clean them off of each host and the master, then regenerate them one by one?

[jcbollinger]

On Friday, December 7, 2012 7:28:27 PM UTC-6, Ellison Marks wrote:

I just recently spun up a new host using an old hostname, and when managing the certificates, I noticed that the newly generated cert was listed as sha256, while all of my earlier certs were listed as sha1. I guess this is a new default or something, and I like better security, so I'd like all of my hosts to use sha256. Is there any shortcut to regenerating all the certs, or do I have to clean them off of each host and the master, then regenerate them one by one?

You would need to clean them all off and generate new ones.  Really, though, I think there is very little advantage to doing so.  It is true that SHA-256 is a stronger hash than SHA-1, but that doesn't mean cryptographic certificates using SHA-1 are unacceptably weak.

If that's an issue that you need to settle reliably, however, then you should consult a security professional who is familiar with your infrastructure and requirements.


John