(identity.key, identity.cert) pair the agent uses for every subsequent broker call.
What enrollment does
certplane-agent -c <config> enroll:
- Acquires a file lock at
<state_dir>/agent.lock. - Refuses to run if
identity.certalready exists. - Generates an ECDSA P-256 key at
identity.key(mode0600) if missing, otherwise reuses it. - Reads the bootstrap token at
identity.bootstrap_token. - Builds a CSR with
CN = identity.nameand submits it tostep-caatidentity.step_ca.url, verifying the server usingidentity.step_ca.fingerprintoridentity.step_ca.root_ca_bundle. - Writes the returned identity certificate to
identity.certand removes the bootstrap token file.
enroll safe to run from Ansible — re-runs against an already-enrolled host fail fast.
Generate a bootstrap token
On yourstep-ca host:
identity.name in the agent config. Tokens are single-use and short-lived.
Place the token on the host
no_log: true and only when the identity certificate is missing.
Agent identity config
The minimum fields needed for enrollment:step_ca.fingerprint or step_ca.root_ca_bundle. The full schema is in Agent configuration.
Run enrollment
identity.crt and deletes the bootstrap token. The host is now ready to run the renewal loop.
Validate the config without enrolling
check validates the YAML, applies defaults, runs the same Validate() logic the agent uses at startup, and confirms expected files are reachable. It does not contact step-ca or the broker.
Troubleshooting
identity cert already exists at ...
identity cert already exists at ...
Enrollment is one-shot. To re-enroll, delete
identity.cert and identity.key, generate a fresh bootstrap token, and run enroll again.reading bootstrap token: no such file or directory
reading bootstrap token: no such file or directory
The token file at
identity.bootstrap_token is missing. With Ansible, this means the certplane_agent_bootstrap_token variable was not set on this host.bootstrap token is empty
bootstrap token is empty
The token file exists but is whitespace-only. Regenerate it with
step ca token ....enrollment succeeded but the next run fails authenticating to the broker
enrollment succeeded but the next run fails authenticating to the broker
The broker’s
server.mtls.agent_ca_bundle must trust the CA that signed identity.cert. If you rotated the step-ca intermediate after deploying the broker, redeploy the bundle.Next: run the agent
Running the agent covers therun subcommand, the systemd timer, and the renewal model.