Nota : Last update 8 feb 2026 -> Next renewal before feb 2031
Contents
Puppet 2/3 PKI Management
Context
Puppet v2/v3 does not support automatic CA renewal.
The Puppet CA certificate has a limited lifespan (typically ~5 years by default).
Before or after expiration, the procedure is the same: regenerate the full PKI (master + agents).
Operational difference: Before expiration → planned maintenance, minimal disruption. After expiration → agents stop communicating, urgent manual intervention required.
CA / PKI Rotation Procedure
1. On the Puppet Master
# Stop the Puppet service:
service puppetmaster stop
# Backup the existing PKI:
mv /var/lib/puppet/ssl /var/lib/puppet/ssl.old.$(date +%F)
# Generate a new CA and master certificate:
puppet cert generate $(hostname -f) --ca
# Restart the Puppet service:
service puppetmaster start
2. On each Puppet Agent
Remove the local SSL certificates:
# Rename old ssl mv /var/lib/puppet/ssl /var/lib/puppet/ssl.old.$(date +%F) # Start puppet once to generate a SSL cert request puppet agent --server puppet.mageia.org --no-daemonize --verbose --waitforcert 60
3. Back on Puppet Master
# On the master, list unsigned agent certificates puppet cert list # Sign agent certificates: puppet cert sign <agent_hostname>
4. Verification
On the master:
openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -dates
On each agent:
puppet agent -t --verbose
Expected outcome: Puppet applies the catalog without SSL errors.
Best Practices
Monitor CA expiration with:
openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -enddate
Schedule rotation before expiration (e.g., 90 days prior).
Backup the entire /var/lib/puppet/ssl directory before any changes.
Ensure master hostname (FQDN) and system time are correct.
