Ask Your Question

How to migrate CA certificates to new master?

asked 2013-07-17 15:30:04 -0600

stormmaster gravatar image

We want to move our certificates to a new master so we can end of life the old masters. Does anyone have documentation on best practices. We were thinking we could just spin up new masters and tell the agents to talk to the new ones but not sure best way to tackle.

edit retag flag offensive close merge delete

5 Answers

Sort by ยป oldest newest most voted

answered 2013-07-18 03:45:23 -0600

gh gravatar image

On the new system, ensure you have the following the puppet.conf in the [main] section.

ca = true

Given the host names are the same, you can just copy the ssl dir.

SSLDIR=$(puppet config print ssldir)
rsync -avp ${SSLDIR}/ new_puppet_ca:${SSLDIR}/

Recommend using a CNAME for puppetca that points to your CA system. In your puppet.conf you would have the following in the [agent] section.

ca_server = 

You could also get around this by setting autosign = true on the master. Then remove the ssldir on all your agents and when they connect to the new system ... (more)

edit flag offensive delete link more


If the hostnames are different can we still copy the SSLDIR? (i.e. OldCAName to NewCAName

stormmaster gravatar imagestormmaster ( 2013-07-18 09:41:56 -0600 )edit

No. If you change your CA's hostname, then you need to generate a new CA cert. If you generate a new CA cert, you need to generate new client ...(more)

Ancillas gravatar imageAncillas ( 2013-07-18 12:01:32 -0600 )edit

I'm planning to build a new puppetmaster soon, so What do you mean by "subject alternative names", is there a guide anywhere that explains how to set this subject alternative name up?

schowdhury gravatar imageschowdhury ( 2016-04-23 04:12:16 -0600 )edit
schowdhury gravatar imageschowdhury ( 2016-04-23 04:28:16 -0600 )edit

answered 2013-07-18 12:21:32 -0600

Ancillas gravatar image

Here's the flow I'd use.

  1. Have the new master ready to go from a configuration perspective. This doesn't include any of the old client certs, just new CA and master certs.
  2. Temporarily enable auto-signing for servers in your domain.
  3. Use a script, or some other orchestration process to upgrade the Puppet version one client at a time. That script will also change the puppet.conf configuration to point at the new master, and remove the existing puppet ssl directory. The new version of puppet will connect to the master ...
edit flag offensive delete link more

answered 2014-02-27 09:55:05 -0600

louis gravatar image

This is what I had to do in order to move the SSL certificates (100 of them) to a new puppet master server with a different hostname.

  1. stop agent, master and puppetdb [/sbin/service pe-httpd pe-puppet pe-puppetdb stop ]
  2. clean the new puppet master generated certificate (puppet cert clean <new_puppet_master_hostname>)</new_puppet_master_hostname>
  3. create your bash script using Garrett Honeycutt solution above... (rsync ...)
  4. execute puppet master --no-daemonize --debug
  5. rebuild puppetdb certificate sudo /opt/puppet/sbin/puppetdb-ssl-setup -f
  6. start your puppetdb, master and agent services.

Check this link for more troubleshooting

edit flag offensive delete link more

answered 2015-04-29 09:54:57 -0600

Avi gravatar image

Incase I do keep naming convention and everything, beside copying the modules directory and the entire SSL directory , is there's something else? Any restart to any services on the puppet master?

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2013-07-17 15:30:04 -0600

Seen: 5,819 times

Last updated: Feb 27 '14