Regenerate the console certificate

The console certificate expires every 824 days. Regenerate the console certificate when it is nearing or past expiration, or if the certificate is corrupted and you're unable to access the console.

To check the expiry date of your current certificate, run this command on your primary server:
/opt/puppetlabs/puppet/bin/openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/console-cert.pem -noout -startdate -enddate

To generate a new console certificate, remove the existing certificate. After you remove the existing certificate, a new one is generated automatically on the next Puppet run.

  1. Remove the existing console certificate.
    On your primary server, run both these commands:
    puppet ssl clean --certname console-cert
    puppetserver ca clean --certname console-cert
  2. Run Puppet to generate a new certificate.
    On the primary server, run:
    puppet agent -t
    Alternatively, you can wait for the next Puppet run.