Use a custom SSL certificate for the console
The Puppet Enterprise (PE) console uses a certificate signed by PE's built-in certificate authority (CA). Because this CA is specific to PE, web browsers don't know it or trust it, and you have to add a security exception in order to access the console. If you find that this is not an acceptable scenario, you can use a custom CA to create the console's certificate.
Before you begin
- You need a X.509 cert, signed by the custom party CA, in PEM format, with matching private and public keys.
- If your custom cert is issued by an intermediate CA, the CA bundle must contain a complete chain, including the applicable root CA.
- These keys and certs must be in PEM format.
- Retrieve the custom certificate and private key.
Move the certificate to
/etc/puppetlabs/puppet/ssl/certs/console-cert.pem, replacing any existing file named
Move the private key to
/etc/puppetlabs/puppet/ssl/private_keys/console-cert.pem, replacing any existing file named
If you previously specified a custom SSL certificate, remove the
browser_ssl_private_keyparameters specified in the console or Hiera data.In the PE console, go to the Node groups page, expand the PE Infrastructure group, and select the PE Console node group. Then, on the Classes tab, locate the
puppet_enterprise::profile::consoleclass, remove any
browser_ssl_private_keyparameters, and commit changes.If you declared these parameters on the Configuration data tab, remove them from that tab and commit changes.If you declared these parameters with Hiera, remove them from your Hiera data. For more information, refer to Configure settings with Hiera.
puppet agent -t
You can navigate to your console and see the custom certificate in your browser.