Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Thursday, June 13, 2019
 
 

puppet-cert (8)

Name

puppet-cert - Manage certificates and requests

Synopsis

Standalone  certificate  authority. Capable of generating certificates,
but mostly used for signing certificate requests from puppet clients.

Description

PUPPET-CERT(8)                   Puppet manual                  PUPPET-CERT(8)



NAME
       puppet-cert - Manage certificates and requests

SYNOPSIS
       Standalone  certificate  authority. Capable of generating certificates,
       but mostly used for signing certificate requests from puppet clients.

USAGE
       puppet cert action [-h|--help] [-V|--version]  [-d|--debug]  [-v|--ver-
       bose] [--digest digest] [host]

DESCRIPTION
       Because  the  puppet master service defaults to not signing client cer-
       tificate requests, this script is  available  for  signing  outstanding
       requests.  It  can be used to list outstanding requests and then either
       sign them individually or sign all of them.

ACTIONS
       Every action except 'list' and 'generate' requires a  hostname  to  act
       on, unless the '--all' option is set.

       The most important actions for day-to-day use are 'list' and 'sign'.

       clean  Revoke a host's certificate (if applicable) and remove all files
              related to that host from puppet cert's storage. This is  useful
              when  rebuilding  hosts,  since new certificate signing requests
              will only be honored if puppet cert does not have a  copy  of  a
              signed  certificate  for that host. If '--all' is specified then
              all  host  certificates,  both  signed  and  unsigned,  will  be
              removed.

       fingerprint
              Print the DIGEST (defaults to the signing algorithm) fingerprint
              of a host's certificate.

       generate
              Generate a certificate for a named client. A certificate/keypair
              will be generated for each client named on the command line.

       list   List  outstanding certificate requests. If '--all' is specified,
              signed certificates  are  also  listed,  prefixed  by  '+',  and
              revoked or invalid certificates are prefixed by '-' (the verifi-
              cation outcome is printed in parenthesis). If '--human-readable'
              or  '-H'  is  specified,  certificates are formatted in a way to
              improve human scan-ability. If '--machine-readable' or  '-m'  is
              specified,  output  is  formatted concisely for consumption by a
              script.

       print  Print the full-text version of a host's certificate.

       revoke Revoke the certificate of a client. The certificate can be spec-
              ified either by its serial number (given as a hexadecimal number
              prefixed by '0x') or by its hostname. The certificate is revoked
              by  adding  it  to  the Certificate Revocation List given by the
              'cacrl' configuration option. Note that the puppet master  needs
              to be restarted after revoking certificates.

       sign   Sign  an  outstanding certificate request. If '--interactive' or
              '-i' is supplied the user will be prompted to confirm that  they
              are   signing   the   correct   certificate   (recommended).  If
              '--assume-yes' or '-y' is supplied the interactive  prompt  will
              assume the answer of 'yes'.

       verify Verify the named certificate against the local CA certificate.

       reinventory
              Build an inventory of the issued certificates. This will destroy
              the current inventory file  specified  by  'cert_inventory'  and
              recreate it from the certificates found in the 'certdir'. Ensure
              the puppet master is stopped before running this action.

OPTIONS
       Note that any setting that's valid in the configuration file is also  a
       valid  long  argument. For example, 'ssldir' is a valid setting, so you
       can specify '--ssldir directory' as an argument.

       See  the  configuration  file  documentation  at   https://docs.puppet-
       labs.com/puppet/latest/reference/configuration.html  for  the full list
       of acceptable parameters. A commented list of all configuration options
       can also be generated by running puppet cert with '--genconfig'.

       --all  Operate  on  all  items.  Currently  only  makes  sense with the
              'sign', 'list', and 'fingerprint' actions.

       --allow-dns-alt-names
              Sign a certificate request even  if  it  contains  one  or  more
              alternate  DNS  names.  If  this option isn't specified, 'puppet
              cert sign' will  ignore  any  requests  that  contain  alternate
              names.

              In  general,  ONLY  certs  intended  for  a Puppet master server
              should include alternate DNS names, since Puppet agent relies on
              those names for identifying its rightful server.

              You  can  make Puppet agent request a certificate with alternate
              names by setting 'dns_alt_names' in  puppet.conf  or  specifying
              '--dns_alt_names'  on  the  command  line. The output of 'puppet
              cert list' shows any requested alt names for pending certificate
              requests.

       --allow-authorization-extensions
              Enable  the  signing of a request with authorization extensions.
              Such requests are sensitive because they can be  used  to  write
              access rules in Puppet Server. Currently, this is the only means
              by which such requests can be signed.

       --digest
              Set the digest for fingerprinting (defaults to the  digest  used
              when signing the cert). Valid values depends on your openssl and
              openssl ruby extension version.

       --debug
              Enable full debugging.

       --help Print this help message

       --verbose
              Enable verbosity.

       --version
              Print the puppet version number and exit.

EXAMPLE
       $ puppet cert list
       culain.madstop.com
       $ puppet cert sign culain.madstop.com

AUTHOR
       Luke Kanies

COPYRIGHT
       Copyright (c) 2011 Puppet Inc.,  LLC  Licensed  under  the  Apache  2.0
       License



ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       +---------------+--------------------------+
       |ATTRIBUTE TYPE |     ATTRIBUTE VALUE      |
       +---------------+--------------------------+
       |Availability   | system/management/puppet |
       +---------------+--------------------------+
       |Stability      | Volatile                 |
       +---------------+--------------------------+
NOTES
       This     software     was    built    from    source    available    at
       https://github.com/oracle/solaris-userland.   The  original   community
       source  was  downloaded  from  https://github.com/puppetlabs/puppet/ar-
       chive/5.5.0.tar.gz

       Further information about this software can be found on the open source
       community website at http://puppetlabs.com/.



Puppet, Inc.                      March 2018                    PUPPET-CERT(8)