puppet

http://puppetlabs.com/puppet/puppet-enterprise
Puppet SSL Explained http://www.masterzen.fr/2010/11/14/puppet-ssl-explained/
replace puppet ca cert http://blkperl.github.io/replace-puppet-ca.html

- clean certificate for client, regenerate cert
. on puppet master  # puppet cert --clean {node certname} 
. on client # rm -r etc/puppet/ssl; rm -r /var/lib/puppet/ssl
. regenerate on client by restart puppet on clean
. on master, check there is new cert wait to be signed:  # puppetca --list 
. on master, sign the requested cert:  # puppetca --sign <node-name> 

- Re-generate the puppet master’s certificate
. clean the old cert
  # puppetca --clean "$(puppet master --configprint certname)"
  or
  # find $(puppet master --configprint ssldir) -name "$(puppet master --configprint certname).pem" -delete

. Start a non-daemonized WEBrick puppet master instance, and wait for it to generate and sign a new certificate:
  # puppet master --no-daemonize --verbose
or  # puppet master --verbose --no-daemonize --cert_name "Puppet CA: `hostname -f`"
  stop the temporary puppet master with ctrl-C after see the “notice: Starting Puppet master version 2.6.9” message.
. restart puppet master
( simplest way is just remove /var/lib/puppet/ssl directory and restart puppetmaster )

- manually verifying the certificate with openssl
# openssl verify -CAfile /etc/puppet/ssl/certs/ca.pem /etc/puppet/ssl/certs/myhostname.domain.com.pem

- look at the certificate content

# openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/puppet.pem

- to see the puppet master’s certified hostnames, ssldir

# puppet master --configprint certname

# puppet master --configprint ssldir

# puppet master --configprint manifest

# puppet master --configprint modulepath

- fingerprinting
. on the node
puppet agent --test --fingerprint
. on master
puppetca --list node.domain.com --fingerprint
-