Renewing CA certificates procedure


Our CA cert is starting to age and is expiring in some months. So are there known procedures to replace the CA certificate ? Same to expiring client (puppet) certificates.


Hi Gerwin,

Good question! I am wondering the same. Did you find a solution yet?


Eelko B.

I partly got it done by the help from Fabinan at

So it seems the Puppetserver is using the new (CA) certificates and the theforeman frontend too. They all getting the certs from /etc/puppetlabs/puppet/ssl.

Issue left:
The days left in “CA Certificate Expiry Date” smartproxy still shows the old amount of days before expiring. Is it possible Foreman is getting the CA cert from /etc/pki by any chance?

When you’re using Puppetserver 5 it should be based on what puppet cert list outputs. Puppetserver 6 uses the REST API. That probably still lists the old CA.

I think the UI logic for CA is very simple in that it assumes the oldest signed certificate is the CA.

It shouldn’t be using /etc/pki.

He Ewoud,

Thanks for pointing me to the correct direction. The procedure creates a new host certificate outside the ssl/ca/signed directorie. So I did the following:

  1. cp /etc/puppetlabs/puppet/ssl/ca/signed/.pem cp /etc/puppetlabs/puppet/ssl/ca/signed/.old
  2. cp /etc/puppetlabs/puppet/ssl/certs/.pem /etc/puppetlabs/puppet/ssl/ca/signed

Now puppet cert list lists the new certificate. But indeed the Foreman frontend keeps posting the old expire date. I found out the expiry date is being found by:

 def expiry
      ca_cert = find_by_state('valid').select {|c| c.valid_from.present?}.min_by(&:valid_from)
      if ca_cert.present?
        _("Could not locate CA certificate.")

And after this point i’m lost as my ruby knowledge is very low :slight_smile:

But I think the conclusion is that Foreman is not using puppet cert -all . So any clue?

This is where it should build the list of certificates from:

Note that it’s all in smart-proxy (Foreman Proxy) and Foreman only queries its proxy.

Ahh yes I found out it, and I logged it: I can confirm that /usr/bin/sudo -S /opt/puppetlabs/bin/puppet cert --ssldir /etc/puppetlabs/puppet/ssl --list --all is being executed.

The sha256 from that list matched my new certificate so thats good. But does it mean that “I think the UI logic for CA is very simple in that it assumes the oldest signed certificate is the CA.” is the cause? And so yes, should I add an bug report?

Bedankt ewoud :slight_smile:

Although when I goto the Certificate tab under PuppetCA and I look for the hostname, it shows me the expiry date of the old certificate. Is this cashed or saved somewhere else?

Maybe the easiest solution is to revoke the old CA (and any certificates signed by it) if all new clients have migrated. Then it should no longer match find_by_state('valid') and find the newer CA.

same problem… i updated all my certs yesterday but the dashboard has a complete weird date of july 04th 2023 on it… doesnt correspond to the old certs (which already expired) and doesnt correspond to the new certs which dont expire for 5 and 10 years respectively. (shown below)

2023-03-29 12_36_42-Certificate Decoder - Decode certificates to view their contents
2023-03-29 12_37_01-Certificate Decoder - Decode certificates to view their contents