One client key on multiple nodes

Hello all,

In Policy ->Clients->create

I created a key to use for several nodes?

Can I use the same pem file to bootstrap multiple nodes

Yes but make sure you delete it after the bootstrap by adding “recipe[chef-client::delete_validation]”, in the node run_list.

thanks for the quic reponse , how do you use it actually while bootstrap or after installing the client.


You can added it during the bootstrap or after but make sure it gets deleted for security reason.
Note: the chef-client cookbook has to be uploaded on the chef server.

still not working

knife bootstrap x.x.x.x root -P --identity-file /data/chef-keys/mru-esx.pem --node-name dumburtle

Missing the -x before the root
knife bootstrap x.x.x.x -x root -P --identity-file /data/chef-keys/mru-esx.pem --node-name dumburtle

yes but the .pem file doesnt seems to go on the server?

Mmm i am not sure if you can do it this way… i usually do it on our azure machines using the “Unattended Installs”
This link might help

try to follow these steps:

  1. Install chef-client

Either use the script or download and install the correct chef-client package for your OS.

  1. Create /etc/chef/client.rb

Perhaps you can use one of your bootstrapped nodes as a reference. The important bit is that you have chef_server_url pointing at your Chef server.



chef_server_url ""
validation_client_name "myorg-validator"
validation_key "/etc/chef/myorg-validator.pem"
log_level :info
3. Copy validation key

The key you got after running chef-server-ctl org-create. If lost you can generate a new one from Chef Manage.

Copy the key to /etc/chef/myorg-validator.pem (to what is configured as validation_key in client.rb)

  1. Fetch SSL cert

Optionally, if the SSL certificate on your Chef server isn’t signed (it probably isn’t), you must manually fetch it so that knife/chef-client will trust the certificate.

mkdir /etc/chef/trusted_certs
knife ssl fetch -c /etc/chef/client.rb
See also

thanks will try soon

seems to work but its not like automatic from the server , i have to connect into thenode and type chef-client

have a look at this:

very interestting let me test and let you know

is there a way to make the client.rb file grab the cookbook on registration to the chef server

On Azure you can do it via the Chef extension, or you can use the bash/powershell script provided by chef in here:

#!/bin/bash -xev

Do some chef pre-work

/bin/mkdir -p /etc/chef
/bin/mkdir -p /var/lib/chef
/bin/mkdir -p /var/log/chef

Setup hosts file correctly

cat > “/etc/hosts” << EOF compliance-server chef-server automate-server

cd /etc/chef/

Install chef

curl -L | bash || error_exit ‘could not install chef’

Create first-boot.json

cat > “/etc/chef/first-boot.json” << EOF
“run_list” :[

NODE_NAME=node-$(cat /dev/urandom | tr -dc ‘a-zA-Z0-9’ | fold -w 4 | head -n 1)

Create client.rb

/bin/echo ‘log_location STDOUT’ >> /etc/chef/client.rb
/bin/echo -e “chef_server_url “https://aut-chef-server/organizations/my-org”” >> /etc/chef/client.rb
/bin/echo -e “validation_client_name “my-org-validator”” >> /etc/chef/client.rb
/bin/echo -e “validation_key “/etc/chef/my_org_validator.pem”” >> /etc/chef/client.rb
/bin/echo -e “node_name “${NODE_NAME}”” >> /etc/chef/client.rb

sudo chef-client -j /etc/chef/first-boot.json