Managing certificate signing requests

When you install a Puppet agent on a node, the agent must submit a certificate signing request (CSR) to the primary server, and you must accept the CSR to add the node to your Puppet Enterprise (PE) inventory. Accepting the CSR allows Puppet to run on the node and enforce your configuration, which in turn adds node information to PuppetDB and makes the node available throughout the PE console.

If you Install agents from the console, the agent automatically submits a certificate signing request (CSR) to the primary server. If you use another method, such as Install agents with the install script, you might need to run puppet to generate the CSR after installing the agent.

You can accept CSRs from the PE console or the command line.
Restriction: For agent nodes that use DNS altnames, you must use the command line to accept the CSR.

If necessary after installing the agent, you can edit the node's certname or other CSR attribute settings in the node's puppet.conf and csr_attributes.yaml files. You can edit the puppet.conf file directly (at /etc/puppetlabs/puppet/puppet.conf) or use the puppet config set sub-command. For example, to set the certname for the agent, run /opt/puppetlabs/bin/puppet config set certname agent.example.com. For more information about puppet.conf and csr_attributes.yaml, go to Customize the install script (This page is about setting these properties with the agent install script, but you can edit these properties after installing the agent).

For information about configuring the certificate authority to automatically sign certain CSRs, refer to Autosigning certificate requests in the Puppet documentation.

Managing CSRs in the console

In the Puppet Enterprise (PE) console, you can accept or reject CSRs individually or in batches.

Before you begin: You must have the Console: View and Certificate requests: Accept and reject permissions.
  1. In the console, go to Certificates > Unsigned certificates.
  2. To manage an individual CSR, click Accept or Reject.
  3. To manage all unsigned CSRs at once, click Accept All or Reject All.
    Important: Stay on this page while the CSRs are processed. Nodes are processed in batches, and closing your browser or navigating to another page stops the process after the current batch.
  4. To make the node available in the console, manually start a Puppet run or wait for the next scheduled Puppet run.

Managing CSRs on the command line

You can use the command line to view and sign individual CSRs.

Before you begin: You must have the Certificate requests: Accept and reject permission.

These instructions use *nix commands. For Windows, run the commands in an administrator command prompt without sudo.

  1. To view pending CSRs, run: sudo puppetserver ca list
  2. To sign a CSR, run: sudo puppetserver ca sign --certname <NAME>

    You can use the Puppet Server CA CLI to sign certificates with altnames or auth extensions by default.

  3. To make the node available in the console, run puppet agent -t or wait for the next scheduled Puppet run.