Renewing Puppet Master Certificate

537 views
Skip to first unread message

Reid, Jamie

unread,
Dec 11, 2013, 5:44:46 PM12/11/13
to puppet...@googlegroups.com

Hi All,

 

Possibly a very simple thing I’m missing, but how do you renew the Puppet Master’s ssl certificate without breaking the client/master relationships?

 

A copy of the email to root that prompted this email is below

 

Cheers,

Jamie

 

 

################# SSL Certificate Warning ################

 

  Certificate for hostname '<server>', in file (or by nickname):

     /etc/pki/tls/certs/localhost.crt

 

  The certificate needs to be renewed; this can be done

  using the 'genkey' program.

 

  Browsers will not be able to correctly connect to this

  web site using SSL until the certificate is renewed.

 

##########################################################

                                  Generated by certwatch(1)

 

 


-- This email remains the property of ACT Education & Training Directorate. This transmission and any accompanying attachments may contain confidential or legally privileged information. If you are not the intended addressee, you are notified that any use or dissemination of this email is strictly forbidden. If you have received this communication in error please notify the sender immediately and delete all copies of this message. Opinions, conclusions, views and other information in this message that do not relate to the official business of ACT Education & Training Directorate are the views of the individual sender and shall be understood as neither given nor endorsed by ACT Education & Training Directorate.   ­­  

Felix Frank

unread,
Dec 21, 2013, 6:46:46 PM12/21/13
to puppet...@googlegroups.com
Hi,

signing a new master certificate should not be an issue, as long as it's
signed using the same CA certificate as the old one (i.e., a CA that is
trusted by all clients).

When the CA certificate expires, it should be quite possible to add a
new additional CA to the master and distribute it to all agents. I don't
know how the puppet tool chain supports this, though.

Cheers,
Felix

On 12/11/2013 11:44 PM, Reid, Jamie wrote:
> Hi All,
>
>
>
> Possibly a very simple thing I�m missing, but how do you renew the
> Puppet Master�s ssl certificate without breaking the client/master
> relationships?

devzero2000

unread,
Dec 22, 2013, 3:59:49 AM12/22/13
to puppet...@googlegroups.com


Il 22/dic/2013 00:46 "Felix Frank" <Felix...@alumni.tu-berlin.de> ha scritto:
>
> Hi,
>
> signing a new master certificate should not be an issue, as long as it's
> signed using the same CA certificate as the old one (i.e., a CA that is
> trusted by all clients).
>
> When the CA certificate expires, it should be quite possible to add a
> new additional CA to the master and distribute it to all agents. I don't
> know how the puppet tool chain supports this, though.

In pki term this is called a Key Rollover.  It is a standard ca practice.

Best regards


> Cheers,
> Felix
>
> On 12/11/2013 11:44 PM, Reid, Jamie wrote:
> > Hi All,
> >
> >
> >

> > Possibly a very simple thing I’m missing, but how do you renew the
> > Puppet Master’s ssl certificate without breaking the client/master
> > relationships?
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52B62866.7080706%40Alumni.TU-Berlin.de.
> For more options, visit https://groups.google.com/groups/opt_out.

Reply all
Reply to author
Forward
0 new messages