key rollover: puppet
Written and acked by Micah Anderson:
There are two methods to handle puppet certificates, one is via capistrano, the second is manually.
The capistrano method is detailed here: http://reductivelabs.com/trac/puppet/wiki/RegenerateSSL
The manual steps are as follows:
1. You need to wipe and regenerate your CA info:
However, if you are running mongrel, instead of starting puppetmaster from the initscript, you will need to first stop
the front-end web listener (apache, nginx, etc.) and then do the following:
puppetmasterd --daemonize ; sleep 30 ; pkill -f 'ruby /usr/sbin/puppetmasterd'
The above is necessary because for some reason when running with mongrel, puppetmaster will not regenerate its CA.
1. Wipe all the client certs
2. Have each client request a new cert:
puppetd --onetime --debug --ignorecache --no-daemonize
3. Once all the requests have rolled in, you can sign them all at once:
puppetca --sign --all
4. Start up your puppet clients:
You could also enable autosign temporarily, if you are comfortable with that.