How to replace pem certificate to servers

[Paolo Brocchi]

Hi all,
i would like to replace pem certificate to agent servers.
Before to replace it i would do some checks like : certificate expired date, right CN, right private key.
Can anyone help me?
Regards
Paolo

[Stephan]

Do you want to replace some random certificates somewhere on the disk, or do you want to replace those used for puppet communication? If the latter have a look here:

https://ask.puppetlabs.com/question/2097/how-to-migrate-ca-certificates-to-new-master/

This is for a puppet master migration, but it is pretty similar to what you plan to do.

[Paolo Brocchi]

Hi Stephan,
thanks for the quick answer.
I try to explain better.

For example:
I have a pem certificate on puppet master path /puppet/files/xxx.pem this certificate i would copy in many agent puppet under /etc/. Before to copy it i would to check if certificate is not expired.

How can i do?

Thanks again
Paolo

[Stephan]

If this is only on the puppet master then I would do that outside puppet, maybe with a weekly cronjob, which moves or deletes expired certificates.

On linux with GNU date put this into a for loop going through all certs:

now=$(date +%s)
cert=$(date --date="$(openssl x509 -enddate -noout -in your.crt | sed -e 's/notAfter=//')" +%s)
if [ $now -ge $cert ]; then
    echo "do your cleanup tasks here"
fi


Once the directory is acceptable you can put it on your clients with a file resource and recurse => true.
If you use version control with svn or git etc. for your puppet code you might want to keep this outside, with /etc/puppet/fileserver.conf

[Johan De Wit]

Hi,
On the master,

puppet cert print <certname>

Look for the lines :
Validity
            Not Before: May 10 10:23:49 2013 GMT
            Not After : May 10 10:23:49 2018 GMT

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/905474da-28c1-4d1c-bb11-c8be50ffb385%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

-- 
Johan De Wit

Open Source Consultant

Red Hat Certified Engineer         (805008667232363)
Puppet Certified Professional 2013 (PCP0000006)
_________________________________________________________
 
Open-Future                 Phone     +32 (0)2/255 70 70
Zavelstraat 72              Fax       +32 (0)2/255 70 71
3071 KORTENBERG             Mobile    +32 (0)474/42 40 73
BELGIUM                     http://www.open-future.be
_________________________________________________________
 

Upcoming Events:

Puppet Fundamentals Training | http://www.open-future.be/puppet-fundamentals-training-4-till-6th-february

Puppet Introduction Course | http://www.open-future.be/puppet-introduction-course-7th-february

Zabbix Certified Training | http://www.open-future.be/zabbix-certified-training-10-till-12th-february

Zabbix for Large Environments Training | http://www.open-future.be/zabbix-large-environments-training-13-till-14th-february

Subscribe to our newsletter: http://eepurl.com/BUG8H