I''ve spent about 12 hours trying to get an existing CA to be used with a new puppetmaster setup, any help is appreciated: I have an existing CA that I want to use on a new puppetmaster setup. I copied my existing private key and CA cert, used the private key to generate the public key into /var/lib/puppet/ssl/ca. Running openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -text - noout gives something like: Certificate: Data: Version: 3 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Login Master CA Validity: .... Subject: CN=Login Master CA .... I run "puppet master --no-daemonize" to get an initial server cert created and signed by this CA. Output of the "openssl x509 -in /var/ lib/puppet/ssl/certs/myserver.com.pem -text -noout" gives something like (it is a 1024 bit cert): Certificate: Data: Version: 3 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Login Master CA Validity: .... Subject: CN=myserver.com ... My /etc/hosts has "myserver.com" defined. My /etc/puppet/puppet.conf has "certname=myserver.com" in the [master] section. So if I try to connect with "openssl s_client -connect myserver.com: 8140 -state -showcerts -CAfile ... -cert ... -key ..." I get an SSL handshake failure. When I try to do the same thing wiht Apache/ passenger, I can get the cert listing. However, running "puppet agent --test" fails with a "certificate verify" error in both the Apache and the direct puppetmaster cases. Is the issue that my "Subject/CN=" in my original CA cert doesn''t match my hostname? I tried setting "certname=login master ca" in my puppet.conf, but that didn''t help either. Thanks. -- G -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.