Regenerate the SAML certificate

By default, the SAML certificate expires every 824 days. Regenerate the certificate when it is nearing or past expiration.

To check the expiry date of your current certificate, run this command on your primary server:
/opt/puppetlabs/puppet/bin/openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/saml-cert.pem -noout -startdate -enddate

To generate a new SAML certificate, remove the existing certificate. After you remove the existing certificate, a new one is generated automatically on the next Puppet run.

  1. Remove the existing SAML certificate.
    On the primary server, run both these commands:
    puppet ssl clean --certname saml-cert
    puppetserver ca clean --certname saml-cert
  2. Run Puppet to generate a new certificate.
    On the primary server, run:
    puppet agent -t
    Alternatively, you can wait for the next Puppet run.