diff --git a/NEWS b/NEWS
index 9dab052d94e9085e4e02ac2343bc803264136d6c..28330fdf4d7fc8e7dc00a3d2111e880e24bb45e5 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,9 @@ release/004.056 (2015-11-05)
     [duo] New class to load Duo code and wallet object. (adamhl)
     [ssh] Add pam_duo option to enable Duo for ssh regular logins (adamhl)
 
+    [puppetclient] Add an option to override the certname in the [agent]
+    section.
+
 release/004.055 (2015-10-08)
 
     [dns] Rewrite base::dns::cache so that it uses dnsmasq on jessie
diff --git a/manifests/puppetclient/config.pp b/manifests/puppetclient/config.pp
index 23de6b68d4143a985fbafa6a97cce5b4d01c56fe..42f8ce1a1535abd43fec1f31bbb45056def268e2 100644
--- a/manifests/puppetclient/config.pp
+++ b/manifests/puppetclient/config.pp
@@ -4,6 +4,11 @@
 # replace: set to false if you don't want Puppet to overwrite an existing
 #   /etc/puppet/puppet.conf.
 #
+#
+# certname: if you need to override the certname in the [agent] section
+# puppet.conf file, set it here. For example, on an AWS machine the
+# certname will be different than the AWS public IP hostname.
+#
 # Helper define to generate Puppet configuration files.
 define base::puppetclient::config(
   $ensure,
@@ -17,7 +22,8 @@ define base::puppetclient::config(
   $replace     = true,
   $defaultfile = '/etc/default/puppet',
   $is_master   = false,
-  $diff_args   = '-u'
+  $diff_args   = '-u',
+  $certname    = ''
 ) {
 
   $ssldir = $::osfamily ? {
@@ -63,7 +69,7 @@ define base::puppetclient::config(
           # 2. Convert the template file into /etc/puppet/puppet.conf.
           exec { 'generate-conf puppet.conf':
             command     =>
-              "generate-conf --template $template_file --config $db_config --newfile $puppet_config",
+              "generate-conf --template ${template_file} --config ${db_config} --newfile ${puppet_config}",
             refreshonly => true,
             subscribe   =>
               [
@@ -90,7 +96,7 @@ define base::puppetclient::config(
       }
     }
     absent:  { file { $name: ensure => absent } }
-    default: { crit "Invalid ensure value: $ensure" }
+    default: { crit "Invalid ensure value: ${ensure}" }
   }
 
   file { $defaultfile:
diff --git a/templates/puppetclient/puppet.conf.template.erb b/templates/puppetclient/puppet.conf.template.erb
index 693fa0f739d45487f35503bf7c60339635779244..593a3dbfb146f6b9d213be18e0a767ffc9a1ce41 100644
--- a/templates/puppetclient/puppet.conf.template.erb
+++ b/templates/puppetclient/puppet.conf.template.erb
@@ -10,14 +10,15 @@
   # Puppet 3.
   use_directory_environments = puppet3
 
+  # For the master section
   if    (hostname =~ /^jimhenson-dev$/) then
-    certname = 'jimhenson-dev.stanford.edu'
+    certname_master = 'jimhenson-dev.stanford.edu'
   elsif (hostname =~ /^jimhenson\d$/) then
-    certname = 'jimhenson.stanford.edu'
+    certname_master = 'jimhenson.stanford.edu'
   elsif (hostname =~ /^puppetservice1-dev$/) then
-    certname = 'puppetservice1-dev.stanford.edu'
+    certname_master = 'puppetservice1-dev.stanford.edu'
   elsif (hostname =~ /^puppetservice\d$/) then
-    certname = 'puppetservice.stanford.edu'
+    certname_master = 'puppetservice.stanford.edu'
   end
 
   # Figure out what Puppetmaster to use
@@ -63,6 +64,11 @@ server = <%= pserver %>
 ca_server = <%= pca_server %>
 ca_port   = 8141
 
+<% if (@certname != '') then -%>
+# We override the certname
+certname = <%= @certname %>
+
+<% end -%>
 # The Puppet environment to use.
 environment = <%= environment %>
 
@@ -126,8 +132,8 @@ show_diff = true
 environmentpath = /srv/puppet
 
 <% end -%>
-# Use <%= certname %> for the certificate name
-certname = <%= certname %>
+# Use <%= certname_master %> for the certificate name
+certname = <%= certname_master %>
 
 # We do not want to behave as a CA
 ca = false