Deploying SSL Certificates In Windows With Puppet

Chances are if you are managing servers in an organization, you have also had a lot of experience managing SSL certificates. Practically any web server should be communicating over HTTPS to clients if you want to make it secure, which means you have to deploy an SSL certificate to the server itself.

While installing an SSL certificate on Windows is somewhat trivial, having to do this on many web servers manually is time consuming. This is the perfect task for a configuration management solution such as Puppet. With Puppet, we can write a configuration that will allow us to install an SSL certificate on many servers very quickly. What happens when that certificate expires and you need to deploy a new one? Just update the configuration code in Puppet (thumbprint, PFX file etc.) and we are on our way.

Puppet SSLCertificate Module

The Puppet SSLCertificate module handles pfx, cer, der and p7b on Windows. In this article, I will be showing how to use it with PFX, which is a common way of installing a certificate on Windows.

The SSLCertificate class has several different parameters; name, password, location, thumbprint, store_dir, root_store, scripts_dir and exportable. If you are familiar with SSL certificate, these should be self-explanatory.

Here is a simple example of using it in a Puppet manifest:

sslcertificate { "Install-PFX-Certificate" :

  name       => 'mycert.pfx',

  password   => 'MyCertPassword1',

  location   => 'C:\',

  thumbprint => '17R341AF7F5223CB975CC29B5455642F5570798B'


The name parameters is the name of the actual PFX file, the password is the password specified when you created the PFX file, the location is where the PFX is located on the machine it will be installed on, and of course the thumbprint of the certificate.

Deploying an SSL Certificate Example

The above code in our manifest is file for importing the PFX certificate, but how do we actually get the PFX file on the remote machine? For this, we turn to the Puppet “file” resource. Using this resource in a manifest, we can copy over a PFX file from our Puppet master to a node.

In our example manifest, we will start by defining the file we want to copy over:

file { 'C:\mycert.pfx':

     ensure => present,

     source => "puppet:///modules/ssl_certificate/mycert.pfx",

     owner  => "DOMAIN\Dan",

     group  => ["administrators","everyone"],

     mode   => "1777",

} ->



Comments are closed.