Cool thanks. That is actually the process I had setup in our lab but the
difference is the puppet masters certs weren't expiring. I'm using
puppetlabs-certregen to extend the CA cert instead of the manual steps you
provided. A relief that I'm pretty much going to follow the same route you
I ran into this issue a few weeks ago, but only my CA cert was expired as
my master certs were a few years newer than CA. There are a couple blog
articles I found (lost URLs) that pieced together these steps to renew CA
cert. For clients you just have to remove then re-download the CA cert
