Ask Your Question

Can I have multiple CA certificates in a Puppet master?

asked 2016-09-07 11:29:18 -0600

AndresPlazaR gravatar image


In a few months, my CA certificate (created almost 5 years ago) will expire. I was looking the instructions on how to recreate the certs (

Everything works fine, except one detail: I need to be able to support Puppet clients using the old certificates (with the old self-signed CA) for some time (about two weeks).

So, is there a way to have both CA certs (new and old) in the Puppet master, to accomplish this?

Thanks in advance!


edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2016-09-24 11:30:44 -0600

camlow325 gravatar image

updated 2016-09-24 14:22:44 -0600

I haven't tried this but you might be able to do it by switching over the contents of your Puppet CA SSL directory (/etc/puppetlabs/puppet/ssl/ca/... in more recent versions) to use the new self-signed CA while bundling both the old self-signed and new self-signed CA cert together into the PEM file that the Puppet master uses to validate client certificates. This way, new agents would be issued certificates from the new CA while agents that had been issued from either the old CA or new CA should continue to be considered valid by the Puppet master and still complete their runs.

Combining the old and new CA certificates into a bundle should be as simple as:

cat ca_old_crt.pem ca_new_crt.pem > ca_bundle_with_old_and_new.pem

The setting which controls the location of the CA client certificate bundle differs depending upon the master configuration you are using. If you are using Puppet Server as your master and are configuring the webserver settings through its webserver.conf file, this setting is called ssl-ca-cert. If you are using a Puppet master running behind a Rack/Passenger configuration, the related Apache vhost configuration setting is called SSLCACertificateFile.

Another consideration is whether, during the period where you are transitioning agents, you want to have the master's webserver certificate continue to be the same, issued from the old CA. To avoid disruptions to your existing agents, you may want to do it this way. If that's the case, you'll need to ensure that any new agents, issued by the new CA, are able to successfully validate the master certificate issued from the old CA. The least disruptive way to do this may be to drop in the CA "bundle" to the new agent's "/etc/puppetlabs/puppet/ssl/certs/ca.pem" file and the "old" CA's CRL pem file -- "/etc/puppetlabs/puppet/ssl/ca/ca_crl.pem" -- to the new agent's "/etc/puppetlabs/puppet/ssl/crl.pem" file before attempting the first run on the new agent.

When you get to the point where you do want to migrate the master's certificate over to one issued by the new CA, the CRL file on the agent will again be problematic. Unlike with the CA certificates, where it is possible to bundle old and new together into one file, it is not currently possible for an agent to use a bundled CRL PEM file - see PUP-3788. Because of this, you'll probably need to copy down the CRL file for the new CA only to each agent only after the master's certificate has been migrated to the new CA.

If it is not possible / desirable for you to do the CRL file change for all clients at the same time, the only way I can think of to avoid agent runs from failing during this period may be to briefly disable the use of the CRL file in each agent's "/etc/puppetlabs/puppet/puppet.conf" file, like this ... (more)

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2016-09-07 11:29:18 -0600

Seen: 481 times

Last updated: Sep 24 '16