|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: Extending Expired CA Certificate |
| 4 | +date: 2025-08-06 |
| 5 | +summary: How to extend the expiration date of the Puppet CA certificate |
| 6 | +--- |
| 7 | + |
| 8 | +## Using an OpenBolt Module |
| 9 | + |
| 10 | +If you're using OpenBolt in your environment, there's a [ca_extend](https://github.com/puppetlabs/ca_extend) module designed for this task. Follow the module’s documentation to perform the extension in a supported and automated way. |
| 11 | + |
| 12 | +## Manual Process |
| 13 | + |
| 14 | +The [ca_extend repository](https://github.com/puppetlabs/ca_extend) also includes a standalone [extend.sh](https://github.com/puppetlabs/ca_extend/blob/main/files/extend.sh) script that can be run manually to generate a new CA certificate with an extended expiration date. |
| 15 | + |
| 16 | +The script performs the following steps: |
| 17 | + |
| 18 | +1. Sets up a temporary SSL environment. |
| 19 | +2. Generates a new CA certificate with the expiration set 15 years into the future. |
| 20 | +3. Writes the new certificate to the directory returned by: |
| 21 | + ``` |
| 22 | + puppet config print --section master cacert |
| 23 | + ``` |
| 24 | + |
| 25 | +The new file will be named using the format: `ca_crt-expires-<NEW_END_DATE>.pem`. This allows you to distinguish it from the currently active certificate without overwriting anything by default. |
| 26 | + |
| 27 | +## Steps After Running the Script |
| 28 | + |
| 29 | +1. Examine the end date of the new certificate by executing: |
| 30 | + |
| 31 | +``` |
| 32 | +openssl x509 -in <PATH_TO_NEW_KEY> -noout -noout -subject -issuer -enddate |
| 33 | +``` |
| 34 | + |
| 35 | +Confirm the issuer matches your existing CA and that the expiration date is 15 years in the future. |
| 36 | + |
| 37 | +2. Back up the current certificate and install the new one: |
| 38 | + |
| 39 | +``` |
| 40 | +# Assuming the directory where the CA is stored is /etc/puppetlabs/puppet/ssl/ca |
| 41 | +mv /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem.bak.$(date +%F) |
| 42 | +mv <PATH_TO_NEW_KEY> /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem |
| 43 | +``` |
| 44 | +3. Restart the OpenVox server. |
| 45 | +``` |
| 46 | +systemctl restart puppetserver |
| 47 | +``` |
| 48 | + |
| 49 | +# OpenVox agents |
| 50 | + |
| 51 | +The following assumes the CA certificate is stored in the default location: |
| 52 | +`/etc/puppetlabs/puppet/ssl/certs/ca.pem`. |
| 53 | + |
| 54 | +## If the CA cert has expired |
| 55 | + |
| 56 | +The new certificate can be downloaded via the HTTP API using the following |
| 57 | +command: |
| 58 | + |
| 59 | +``` |
| 60 | +curl https://<PUPPET-CA-HOST>:8140/puppet-ca/v1/certificate/ca --insecure > /etc/puppetlabs/puppet/ssl/certs/ca.pem |
| 61 | +``` |
| 62 | + |
| 63 | +A command similar to the above would need to be orchestrated across all of your agents. |
| 64 | + |
| 65 | +## OpenVox agents on version 8 and newer |
| 66 | +Agents running Puppet 8+ will automatically fetch the updated CA certificate according to the [ca_refresh_interval](https://github.com/OpenVoxProject/openvox/blob/main/references/configuration.md#ca_refresh_interval) setting. |
| 67 | + |
| 68 | +## Older Agents |
| 69 | + |
| 70 | +For older agents: |
| 71 | + |
| 72 | +* Distribute the new CA certificate using your configuration management/orchestration tool (e.g., SaltStack, Ansible). |
| 73 | +* Alternatively, use an OpenVox file resource to deploy the new certificate — this only works if the current CA certificate has not yet expired and agents can still check in. |
0 commit comments