Setting up Puppet certificates

To generate and sign a certificate, follow the next steps:

  1. On the Puppet agent, run this command to generate an empty certificate:

    # puppet agent -t
  2. On the Puppet server side, list the current certificates that need approval:

    # puppetserver ca list

    It should output a list with your node hostname.

  3. Approve the certificate, replacing pending-agent-node with your agent’s node name:

    # puppetserver ca sign --certname pending-agent-node

    All certificates can be approved with this:

    # puppetserver ca sign --all
  4. Back on the Puppet agent node, run in the puppet agent again:

    # puppet agent -t


Remember that private network DNS is a prerequisite for a successful certificate signing.