Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
PUPPET-CERT(8)			 Puppet	manual			PUPPET-CERT(8)

       puppet-cert - Manage certificates and requests (Deprecated)

       Standalone  certificate	authority. Capable of generating certificates,
       but mostly used for signing certificate requests	from puppet clients.

       puppet cert action [-h|--help] [-V|--version]  [-d|--debug]  [-v|--ver-
       bose] [--digest digest] [host]

       Because	the  puppet master service defaults to not signing client cer-
       tificate	requests, this script is available for signing outstanding re-
       quests.	It  can	 be  used to list outstanding requests and then	either
       sign them individually or sign all of them.

       Every action except 'list' and 'generate' requires a  hostname  to  act
       on, unless the '--all' option is	set.

       The most	important actions for day-to-day use are 'list'	and 'sign'.

       clean  Revoke a host's certificate (if applicable) and remove all files
	      related to that host from	puppet cert's storage. This is	useful
	      when  rebuilding	hosts,	since new certificate signing requests
	      will only	be honored if puppet cert does not have	a  copy	 of  a
	      signed  certificate  for that host. If '--all' is	specified then
	      all host certificates, both signed and  unsigned,	 will  be  re-

	      Print the	DIGEST (defaults to the	signing	algorithm) fingerprint
	      of a host's certificate.

	      Generate a certificate for a named client. A certificate/keypair
	      will be generated	for each client	named on the command line.

       list   List  outstanding	certificate requests. If '--all' is specified,
	      signed certificates are also listed, prefixed by	'+',  and  re-
	      voked or invalid certificates are	prefixed by '-'	(the verifica-
	      tion outcome is printed in parenthesis).	If  '--human-readable'
	      or '-H' is specified, certificates are formatted in a way	to im-
	      prove human scan-ability.	If  '--machine-readable'  or  '-m'  is
	      specified,  output  is  formatted	concisely for consumption by a

       print  Print the	full-text version of a host's certificate.

       revoke Revoke the certificate of	a client. The certificate can be spec-
	      ified either by its serial number	(given as a hexadecimal	number
	      prefixed by '0x')	or by its hostname. The	certificate is revoked
	      by  adding  it  to  the Certificate Revocation List given	by the
	      'cacrl' configuration option. Note that the puppet master	 needs
	      to be restarted after revoking certificates.

       sign   Sign  an	outstanding certificate	request. If '--interactive' or
	      '-i' is supplied the user	will be	prompted to confirm that  they
	      are  signing  the	 correct  certificate (recommended). If	'--as-
	      sume-yes'	or '-y'	is supplied the	interactive prompt will	assume
	      the answer of 'yes'.

       verify Verify the named certificate against the local CA	certificate.

	      Build an inventory of the	issued certificates. This will destroy
	      the current inventory file  specified  by	 'cert_inventory'  and
	      recreate it from the certificates	found in the 'certdir'.	Ensure
	      the puppet master	is stopped before running this action.

       Note that any setting that's valid in the configuration file is also  a
       valid  long  argument. For example, 'ssldir' is a valid setting,	so you
       can specify '--ssldir directory'	as an argument.

       See   the   configuration   file	   documentation    at	  https://pup-  for the full list	of ac-
       ceptable	parameters. A commented	list of	all configuration options  can
       also be generated by running puppet cert	with '--genconfig'.

       --all  Operate  on  all	items.	Currently  only	 makes	sense with the
	      'sign', 'list', and 'fingerprint'	actions.

	      Sign a certificate request even if it contains one or  more  al-
	      ternate  DNS names. If this option isn't specified, 'puppet cert
	      sign' will ignore	any requests that contain alternate names.

	      In general, ONLY certs  intended	for  a	Puppet	master	server
	      should include alternate DNS names, since	Puppet agent relies on
	      those names for identifying its rightful server.

	      You can make Puppet agent	request	a certificate  with  alternate
	      names  by	 setting  'dns_alt_names' in puppet.conf or specifying
	      '--dns_alt_names'	on the command line.  The  output  of  'puppet
	      cert list' shows any requested alt names for pending certificate

	      Enable the signing of a request with  authorization  extensions.
	      Such  requests  are  sensitive because they can be used to write
	      access rules in Puppet Server. Currently,	this is	the only means
	      by which such requests can be signed.

	      Set  the	digest for fingerprinting (defaults to the digest used
	      when signing the cert). Valid values depends on your openssl and
	      openssl ruby extension version.

	      Enable full debugging.

       --help Print this help message

	      Enable verbosity.

	      Print the	puppet version number and exit.

       $ puppet	cert list
       $ puppet	cert sign

       Luke Kanies

       Copyright  (c)  2011 Puppet Inc., LLC Licensed under the	Apache 2.0 Li-

Puppet,	Inc.			   July	2020			PUPPET-CERT(8)


Want to link to this manual page? Use this URL:

home | help