There are situations where we would like to regenereate the SSL certificate for a certain machine. Usually this is because we want to change the hostnames in the certificate. This page describes this process.
Stop the puppetagent (and other puppetservices) on the client machines.
The first step is to stop the puppet agent on the machine which should get new certificates:
Stop the puppet agent
root@client.fqdn:~# systemctl stop puppet
If the machine is running other puppet services (like puppetserver or puppetdb) these should also be stopped:
Stop the puppet services
root@client.fqdn:~# systemctl stop puppetdb root@client.fqdn:~# systemctl stop puppetserver
Revoke the old certificate
Before a machine can retrieve new SSL certificates it need to have the old ones revoked. This is done at the puppetca:
Stop the puppet agent
root@puppetca.fqdn:~# puppet cert clean client.fqdn
The crl is distributed to the rest of the infrastructure each time these machines are running the puppet agent.
Delete old certificates on the client, and create a new CSR.
Sign the new certificate