Managing certificate signing requests
When you install a Puppet agent on a node, the agent must submit a certificate signing request (CSR) to the primary server, and you must accept the CSR to add the node to your Puppet Enterprise (PE) inventory. Accepting the CSR allows Puppet to run on the node and enforce your configuration, which in turn adds node information to PuppetDB and makes the node available throughout the PE console.
If you Install agents from the console, the agent automatically submits a
certificate signing request (CSR) to the primary server. If you use another method, such
as Install agents with the install script, you
might need to run
puppet to generate the CSR after
installing the agent.
If necessary after installing the agent, you can edit the node's
certname or other CSR attribute settings in the node's
csr_attributes.yaml files. You can edit the
puppet.conf file directly (at
/etc/puppetlabs/puppet/puppet.conf) or use the
config set sub-command. For example, to set the
certname for the agent, run
/opt/puppetlabs/bin/puppet config set
certname agent.example.com. For more information about
csr_attributes.yaml, go to Customize the install script
(This page is about setting these properties with the agent install script, but you can
edit these properties after installing the agent).
Managing CSRs in the console
In the Puppet Enterprise (PE) console, you can accept or reject CSRs individually or in batches.
- In the console, go to .
- To manage an individual CSR, click Accept or Reject.
- To manage all unsigned CSRs at once, click Accept All or
Reject All. Important: Stay on this page while the CSRs are processed. Nodes are processed in batches, and closing your browser or navigating to another page stops the process after the current batch.
- To make the node available in the console, manually start a Puppet run or wait for the next scheduled Puppet run.
Managing CSRs on the command line
You can use the command line to view and sign individual CSRs.
These instructions use *nix commands. For Windows, run the commands in an administrator command
- To view pending CSRs, run:
sudo puppetserver ca list
To sign a CSR, run:
sudo puppetserver ca sign --certname <NAME>
You can use the Puppet Server CA CLI to sign certificates with altnames or auth extensions by default.
- To make the node available in the console, run
puppet agent -tor wait for the next scheduled Puppet run.