Ok just to close the loop, here is the full set of instructions that i did to get this working.
1.) First, copy the important files to a new directory
mkdir /root/puppet_renewal
cd /root/puppet_renewal
mkdir /root/puppet_renewal/ca
mkdir /root/puppet_renewal/puppetmaster
mkdir /root/puppet_renewal/puppetmaster/private_keys
mkdir /root/puppet_renewal/puppetmaster/certs
cp /etc/puppetlabs/puppet/ssl/ca/ca_key.pem /root/puppet_renewal/ca
cp /etc/puppetlabs/puppet/ssl/private_keys/foreman.DOMAIN.pem /root/puppet_renewal/puppetmaster/private_keys
2.) Get the important information from the existing CA and puppet master certificate. Run the following commands and paste the info below. (these might be different when you run it so take note)
openssl x509 -in /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem -noout -subject
subject=CN = Puppet CA: foreman.DOMAIN
openssl x509 -in /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem -noout -serial
serial=01
( The below returns nothing for me, idk…)
openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/foreman.DOMAIN.pem -noout -certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
9B:17:02:F9:36:44:C7:42:F9:67:45:70:55:C2:AD:FB:6F:83:2B:0A
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:foreman.DOMAIN, DNS:puppet, DNS:puppet.mydomain
3.) Make the openssl config file:
cat << EOF > /root/puppet_renewal/renewpuppet.cnf
[ v3_ca ]
basicConstraints= CA:TRUE
subjectKeyIdentifier= hash
#authorityKeyIdentifier= keyid:always,issuer:always
keyUsage = critical, cRLSign, keyCertSign
nsComment = ‘Puppet Ruby/OpenSSL Internal Certificate’[ v3 ]
basicConstraints= CA:FALSE
subjectKeyIdentifier= hash
nsComment = ‘Puppet Ruby/OpenSSL Internal Certificate’
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth, clientAuth
subjectAltName = @alt_names[ alt_names ]
DNS.1 = foreman.DOMAIN
DNS.2 = puppet
DNS.3 = puppet.DOMAIN
EOF
4.) Make a CSR using your existing CA key, and make the new CA cert. take note of the serial number and subject name from step 2.
openssl req -out /root/puppet_renewal/ca/ca_new.csr -key /root/puppet_renewal/ca/ca_key.pem -new -batch -subj “/CN=Puppet CA: foreman.DOMAIN”
openssl x509 -req -days 3650 -in /root/puppet_renewal/ca/ca_new.csr -signkey /root/puppet_renewal/ca/ca_key.pem -out /root/puppet_renewal/ca/ca_crt.pem -extfile /root/puppet_renewal/renewpuppet.cnf -extensions v3_ca -set_serial 1
5.) Find the next serial number for the existing CA
echo $((0x
cat /etc/puppetlabs/puppet/ssl/ca/serial))
4354
6.) Make a CSR using your existing puppet server key, and make the new puppet server certificate. Use the serial number from step 5 below.
openssl req -out /root/puppet_renewal/mypuppetmaster.csr -key /root/puppet_renewal/puppetmaster/private_keys/foreman.DOMAIN.pem -new -batch -subj “/CN=foreman.DOMAIN”
openssl x509 -extfile /root/puppet_renewal/renewpuppet.cnf -extensions v3 -req -days 1825 -in /root/puppet_renewal/mypuppetmaster.csr -CA /root/puppet_renewal/ca/ca_crt.pem -CAkey /root/puppet_renewal/ca/ca_key.pem -CAcreateserial -out /root/puppet_renewal/puppetmaster/certs/foreman.DOMAIN.pem -sha256 -set_serial 4354
7.) So, now you have an updated CA certificate, and the new puppetmaster cert. Copy them into place, and restart the service
systemctl stop apache2
cp /root/puppet_renewal/ca/ca_crt.pem /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
cp /root/puppet_renewal/ca/ca_crt.pem /etc/puppetlabs/puppet/ssl/certs/ca.pem
cp /root/puppet_renewal/puppetmaster/certs/foreman.DOMAIN.pem /etc/puppetlabs/puppet/ssl/certs/foreman.DOMAIN.pem
systemcrl start apache2
8.) make a GPO that replaces the ca.pem file in the windows directory C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs . This will allow the client to now connect. A file replace (run once) gpo is all it took there.
9.) reboot the entire server just to be sure everything is good. Your puppet CA smart proxy should show all green now and as the clients run the GPO, the clients will start popping back into foreman just like nothing has happened.