Adding a certificate to the Puppet Enterprise console.

2 minute read

The following discusses how to add a certificate to the Puppet Enterprise Console.

generate a csr puppet.piccola.us.csr and submit it to a CA. in this example a cert request was generated with PowerShell and submitted to a Microsoft CA.
download it puppet.piccola.us.cer in .der format. once downloaded add it to the personal store of a windows machine then export it with keys and extensions as a .pfx (e.g. puppet.piccola.us.pfx).

at this point you should have the following three files.

C:\scripts\puppet_ec_cert\pec> l
 Directory: C:\scripts\puppet_ec_cert\pec
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/12/2018   8:17 PM           1224 puppet.piccola.us.cer
-a----        6/12/2018   8:16 PM           1384 puppet.piccola.us.csr
-a----        6/12/2018   8:20 PM           6049 puppet.piccola.us.pfx

install and use openssl to convert pfx to pem.

choco install openssl.light
openssl pkcs12 -in puppet.piccola.us.pfx -clcerts -nokeys -out public-console.cert.pem
Enter Import Password: *****

use openssl to create passphrased private key.

openssl pkcs12 -in puppet.piccola.us.pfx -nocerts -out public-console.private_key_PASSPHRASED_.pem
Enter Import Password: *****
Enter PEM pass phrase: *****

use openssl to remove passphrase from private key.

openssl rsa -in public-console.private_key_PASSPHRASED_.pem -out public-console.private_key.pem
Enter pass phrase for public-console.private_key_PASSPHRASED_.pem: *****
writing RSA key

at this point you should have the following six files.

 C:\scripts\puppet_ec_cert\pec> l
 Directory: C:\scripts\puppet_ec_cert\pec
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/12/2018   9:30 PM           2034 public-console.cert.pem
-a----        6/12/2018   9:34 PM           1706 public-console.private_key.pem
-a----        6/12/2018   9:33 PM           2145 public-console.private_key_PASSPHRASED_.pem
-a----        6/12/2018   8:17 PM           1224 puppet.piccola.us.cer
-a----        6/12/2018   8:16 PM           1384 puppet.piccola.us.csr
-a----        6/12/2018   8:20 PM           6049 puppet.piccola.us.pfx

copy public-console.cert.pem and public-console.private_key.pem to /opt/puppetlabs/server/data/console-services/certs on the Puppet server.

root@puppet:/opt/puppetlabs/server/data/console-services/certs# ls -la
total 36
drwx------ 3 pe-console-services pe-console-services 4096 Jun 12 21:40 .
drwxrwx--- 3 pe-console-services pe-console-services 4096 Sep  8  2017 ..
drwxr-xr-x 2 root                root                4096 Jun 12 21:40 old
-rw-r--r-- 1 root                root                2034 Jun 12 20:33 public-console.cert.pem
-rw-r--r-- 1 root                root                1706 Jun 12 20:51 public-console.private_key.pem
-r-------- 1 pe-console-services pe-console-services 2086 Jun 12 21:40 puppet.piccola.us.cert.pem
-r-------- 1 pe-console-services pe-console-services 3243 Jun 12 21:40 puppet.piccola.us.private_key.pem
-r-------- 1 pe-console-services pe-console-services 2374 Jun 12 21:40 puppet.piccola.us.private_key.pk8
-r-------- 1 pe-console-services pe-console-services  800 Jun 12 21:40 puppet.piccola.us.public_key.pem

Use the console to edit the parameters of the puppet_enterprise::profile::console class.
1. Click Classification, and in the PE Infrastructure group, select the PE Console group.
2. On the Configuration tab, in the puppet_enterprise::profile::console class, add the following parameters:

Parameter	Value
`browser_ssl_cert`	`/opt/puppetlabs/server/data/console-services/certs/public-console.cert.pem`
`browser_ssl_private_key`	`/opt/puppetlabs/server/data/console-services/certs/public-console.private_key.pem`

run puppet agent -t on the master.
```
root@puppet:~# puppet agent -t
```

use nmap’s “ssl-cert.nse” script to verify.

c:\> nmap --script=ssl-cert.nse -p 443 puppet.piccola.us
PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=puppet.piccola.us
| Subject Alternative Name: DNS:puppet.piccola.us
| Issuer: commonName=Piccola Subordinate CA I
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-06-13T02:09:48
| Not valid after:  2020-06-12T02:09:48
| MD5:   e5a6 bb29 8870 b967 49d2 ecf1 0514 c2a2
|_SHA-1: eaf5 df14 db39 d2dc e502 3276 862b 0532 1ce1 557e
MAC Address: 00:50:56:89:9F:17 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.45 seconds

Share on

Twitter Facebook Google+ LinkedIn

Joey Piccola

Adding a certificate to the Puppet Enterprise console.

Share on

You May Also Enjoy

Large file listing diffs with postgres

A Puppet fact for the OU location of a server in Active Directory

Executing Puppet Tasks with PowerShell via the Puppet Orchestrator API

Generating a certificate request with SAN via PowerShell