Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, February 9, 2022

puppet-cert (8)


puppet-cert - Manage certificates and requests (Deprecated)


Standalone  certificate  authority. Capable of generating certificates,
but mostly used for signing certificate requests from puppet clients.


PUPPET-CERT(8)                   Puppet manual                  PUPPET-CERT(8)

       puppet-cert - Manage certificates and requests (Deprecated)

       Standalone  certificate  authority. Capable of generating certificates,
       but mostly used for signing certificate requests from puppet clients.

       puppet cert action [-h|--help] [-V|--version]  [-d|--debug]  [-v|--ver-
       bose] [--digest digest] [host]

       Because  the  puppet master service defaults to not signing client cer-
       tificate requests, this script is  available  for  signing  outstanding
       requests.  It  can be used to list outstanding requests and then either
       sign them individually or sign all of them.

       Every action except 'list' and 'generate' requires a  hostname  to  act
       on, unless the '--all' option is set.

       The most important actions for day-to-day use are 'list' and 'sign'.

       clean  Revoke a host's certificate (if applicable) and remove all files
              related to that host from puppet cert's storage. This is  useful
              when  rebuilding  hosts,  since new certificate signing requests
              will only be honored if puppet cert does not have a  copy  of  a
              signed  certificate  for that host. If '--all' is specified then
              all  host  certificates,  both  signed  and  unsigned,  will  be

              Print the DIGEST (defaults to the signing algorithm) fingerprint
              of a host's certificate.

              Generate a certificate for a named client. A certificate/keypair
              will be generated for each client named on the command line.

       list   List  outstanding certificate requests. If '--all' is specified,
              signed certificates  are  also  listed,  prefixed  by  '+',  and
              revoked or invalid certificates are prefixed by '-' (the verifi-
              cation outcome is printed in parenthesis). If '--human-readable'
              or  '-H'  is  specified,  certificates are formatted in a way to
              improve human scan-ability. If '--machine-readable' or  '-m'  is
              specified,  output  is  formatted concisely for consumption by a

       print  Print the full-text version of a host's certificate.

       revoke Revoke the certificate of a client. The certificate can be spec-
              ified either by its serial number (given as a hexadecimal number
              prefixed by '0x') or by its hostname. The certificate is revoked
              by  adding  it  to  the Certificate Revocation List given by the
              'cacrl' configuration option. Note that the puppet master  needs
              to be restarted after revoking certificates.

       sign   Sign  an  outstanding certificate request. If '--interactive' or
              '-i' is supplied the user will be prompted to confirm that  they
              are   signing   the   correct   certificate   (recommended).  If
              '--assume-yes' or '-y' is supplied the interactive  prompt  will
              assume the answer of 'yes'.

       verify Verify the named certificate against the local CA certificate.

              Build an inventory of the issued certificates. This will destroy
              the current inventory file  specified  by  'cert_inventory'  and
              recreate it from the certificates found in the 'certdir'. Ensure
              the puppet master is stopped before running this action.

       Note that any setting that's valid in the configuration file is also  a
       valid  long  argument. For example, 'ssldir' is a valid setting, so you
       can specify '--ssldir directory' as an argument.

       See   the   configuration   file    documentation    at    https://pup-
       pet.com/docs/puppet/latest/configuration.html  for  the  full  list  of
       acceptable parameters. A commented list of  all  configuration  options
       can also be generated by running puppet cert with '--genconfig'.

       --all  Operate  on  all  items.  Currently  only  makes  sense with the
              'sign', 'list', and 'fingerprint' actions.

              Sign a certificate request even  if  it  contains  one  or  more
              alternate  DNS  names.  If  this option isn't specified, 'puppet
              cert sign' will  ignore  any  requests  that  contain  alternate

              In  general,  ONLY  certs  intended  for  a Puppet master server
              should include alternate DNS names, since Puppet agent relies on
              those names for identifying its rightful server.

              You  can  make Puppet agent request a certificate with alternate
              names by setting 'dns_alt_names' in  puppet.conf  or  specifying
              '--dns_alt_names'  on  the  command  line. The output of 'puppet
              cert list' shows any requested alt names for pending certificate

              Enable  the  signing of a request with authorization extensions.
              Such requests are sensitive because they can be  used  to  write
              access rules in Puppet Server. Currently, this is the only means
              by which such requests can be signed.

              Set the digest for fingerprinting (defaults to the  digest  used
              when signing the cert). Valid values depends on your openssl and
              openssl ruby extension version.

              Enable full debugging.

       --help Print this help message

              Enable verbosity.

              Print the puppet version number and exit.

       $ puppet cert list
       $ puppet cert sign culain.madstop.com

       Luke Kanies

       Copyright (c) 2011 Puppet Inc.,  LLC  Licensed  under  the  Apache  2.0

       See attributes(7) for descriptions of the following attributes:

       |Availability   | system/management/puppet |
       |Stability      | Volatile                 |

       Source  code  for open source software components in Oracle Solaris can
       be found at https://www.oracle.com/downloads/opensource/solaris-source-

       This     software     was    built    from    source    available    at
       https://github.com/oracle/solaris-userland.   The  original   community
       source was downloaded from  https://github.com/puppetlabs/puppet.

       Further information about this software can be found on the open source
       community website at http://puppetlabs.com/.

Puppet, Inc.                       July 2020                    PUPPET-CERT(8)