Table of contents

Introduction

How to use a custom SSL certificate for the console?

Generate a custom Diffie-Hellman parameter file

Enable TLSv1

Frequently Asked Questions

5.1.

What is the Diffie-Hellman parameter?

5.2.

What is the command used for running a Puppet application?

5.3.

What isTLSv1?

Conclusion

Last Updated: Aug 13, 2025

Advanced Concepts of SSL and Certificates in Puppet

Q: What is the command used for running a Puppet application?

The puppet agent -t command is used to run Pullet Application.

Author Nagendra

Do you think IIT Guwahati certified course can help you in your career?

Yes

Introduction

Puppet is a devop tool that aids in centralising and automating the configuration management process. Software deployment is another use for it. It is offered in both open-source and paid editions. It assists with managing the configuration of servers, deploying servers, and orchestrating the deployment of multiple applications across a large amount of infrastructure in the business.

This blog explains the details of Advanced Concepts of SSL and Certificates in Puppet, along with the details of using a custom SSL certificate, generating a custom Diffie-Hellman parameter file, and Enabling TLSv1.

Without further ado, let's get started.

Advanced Concepts of SSL and Certificates in Puppet Image

How to use a custom SSL certificate for the console?

The certificate used by the Puppet Enterprise (PE) console was signed by the certificate authority integrated into PE (CA). Web browsers do not recognise or trust this CA because it is special to PE, so you must add a security exception to access the console. If you decide that this situation is unacceptable, you can create the console's certificate using a custom CA.

Follow the steps to Use a custom SSL certificate for the console:

Obtain the private key and customised certificate.
Replace any console-cert.pem files that already exist by moving the certificate to /etc/puppetlabs/puppet/ssl/certs/console-cert.pem.
Replace any console-cert.pem files that already exist by moving the private key to /etc/puppetlabs/puppet/ssl/private keys/console-cert.pem.
Remove the browser_ssl_cert and browser_ssl_private_key arguments from the console or Hiera data if you had previously specified a custom SSL certificate.
Expand the PE Infrastructure group on the Node groups tab of the PE console, then choose the PE Console node group. Remove any browser_ssl_cert and browser_ssl_private_key arguments from the puppet enterprise::profile::console class, then find the class on the Classes tab and commit modifications.
Remove the parameters from the Configuration data tab if you previously stated them there, then save your modifications.
Remove these parameters from your Hiera data if you defined them using Hiera. Consult Configure settings with Hiera for further details.
Run the Puppet: puppet agent -t

You can access your console from your browser and view the custom certificate there.

Let's look into the details of generating a custom Diffie-Hellman parameter file.

Generate a custom Diffie-Hellman parameter file

The Diffie-Hellman (DH) key exchange was found to have a number of flaws by the "Logjam Attack" (CVE-2015-4000). PE ships with a pre-generated 2048-bit Diffie-Hellman param file to help mitigate the "Logjam Attack." You can create your own DH param file if you don't want to use the default one.

Follow the steps to Generate a custom Diffie-Hellman parameter file:

Run the following command on your main server:

Command:

/opt/puppetlabs/puppet/bin/openssl dhparam -out /etc/puppetlabs/nginx/<PROXY-CUSTOM-dhparam>.pem 2048

Add the following value and parameter to your pe.conf file (found at /etc/puppetlabs/enterprise/conf.d/pe.conf):

Command:

"puppet_enterprise::profile::console::proxy::dhparam_file": "/etc/puppetlabs/nginx/<PROXY-CUSTOM-dhparam>.pem"

Run the Puppet: puppet agent -t

Lets look into the details of enabling TLSv1.

Enable TLSv1

TLSv1 and TLSv1.1 will be deactivated by default in 2021 in order to abide by security rules. Puppet Enterprise 7.z versions (PE).

In order to deploy agents on these platforms, TLSv1 must be enabled:

AIX
Solaris 11

The following steps enable TLSv1:

Navigate to Node groups > PE Infrastructure in the PE console.
Locate or add the puppet enterprise::master::puppetserver class to the Configuration data tab.
Set the value of the SSL protocols argument to an array of strings corresponding to permitted TLS versions.

Example:

["TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]

Click Add Data and Commit Changes
Launch Puppet on all compilers and the main server.

Frequently Asked Questions

What is the Diffie-Hellman parameter?

The Diffie-Hellman parameter specifies how OpenSSL carries out the Diffie-Hellman (DH) key exchange.

What is the command used for running a Puppet application?

The puppet agent -t command is used to run Pullet Application.

What isTLSv1?

TLSv1 is the most recent SSL protocol version that OpenSSH supports on z/VSE.

Conclusion

In this article, we have extensively discussed the details of Advanced Concepts of SSL and Certificates in Puppet, along with the details of using a custom SSL certificate, generating a custom Diffie-Hellman parameter file, and Enabling TLSv1.

We hope that this blog has helped you enhance your knowledge regarding Advanced Concepts of SSL and Certificates in Puppet, and if you would like to learn more, you can refer to our guided paths on the Coding Ninjas Studio platform to learn more about DSA, DBMS, Competitive Programming, Python, Java, JavaScript, etc. To practice and improve yourself in the interview, you can also check out Top 100 SQL problems, Interview experience, Coding interview questions, and the Utimate guide path for interviews. Do upvote our blog to help other ninjas grow. Happy Coding!!