Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Thursday, June 13, 2019

puppet-certificate (8)


puppet-certificate - ment.


puppet  certificate  action  [--terminus  _TERMINUS]   [--extra   HASH]
--ca-location LOCATION


PUPPET-CERTIFICATE(8)            Puppet manual           PUPPET-CERTIFICATE(8)

       puppet-certificate  -  Provide access to the CA for certificate manage-

       puppet  certificate  action  [--terminus  _TERMINUS]   [--extra   HASH]
       --ca-location LOCATION

       This  subcommand  interacts  with  a local or remote Puppet certificate
       authority. Currently, its behavior is not a  full  superset  of  puppet
       cert; specifically, it is unable to mimic puppet cert's "clean" option,
       and its "generate" action submits a CSR rather than creating  a  signed

       Note  that any setting that's valid in the configuration file is also a
       valid long argument, although it may or may  not  be  relevant  to  the
       present action. For example, server and run_mode are valid settings, so
       you can specify --server <servername>, or --run_mode  <runmode>  as  an

       See   the  configuration  file  documentation  at  https://docs.puppet-
       labs.com/puppet/latest/reference/configuration.html for the  full  list
       of acceptable parameters. A commented list of all configuration options
       can also be generated by running puppet with --genconfig.

       --render-as FORMAT
              The format in which to render output. The  most  common  formats
              are  json, s (string), yaml, and console, but other options such
              as dot are sometimes available.

              Whether to log verbosely.

              Whether to log debug information.

       --ca-location LOCATION
              Whether to act on the local certificate authority  or  one  pro-
              vided  by a remote puppet master. Allowed values are 'local' and

              This option is required.

       --extra HASH
              A terminus can take additional arguments to  refine  the  opera-
              tion,  which  are  passed  as an arbitrary hash to the back-end.
              Anything passed as the extra value is just send  direct  to  the

       --terminus _TERMINUS
              Indirector  faces  expose indirected subsystems of Puppet. These
              subsystems are each able to retrieve and alter a  specific  type
              of  data  (with  the familiar actions of find, search, save, and
              destroy) from an arbitrary number of pluggable backends. In Pup-
              pet parlance, these backends are called terminuses.

              Almost  all  indirected  subsystems  have  a  rest terminus that
              interacts with the puppet master's data. Most of them have addi-
              tional  terminuses  for  various local data models, which are in
              turn used by the indirected subsystem on the puppet master when-
              ever it receives a remote request.

              The  terminus  for an action is often determined by context, but
              occasionally needs to be set explicitly. See the "Notes" section
              of this face's manpage for more details.

       o   destroy - Delete a certificate.: SYNOPSIS

           puppet  certificate  destroy  [--terminus _TERMINUS] [--extra HASH]
           --ca-location LOCATION host


           Deletes a certificate. This action  currently  only  works  on  the
           local CA.



       o   find - Retrieve a certificate.: SYNOPSIS

           puppet  certificate  find  [--terminus  _TERMINUS]  [--extra  HASH]
           --ca-location LOCATION host


           Retrieve a certificate.


           An x509 SSL certificate.

           Note that this action has a side effect of caching a  copy  of  the
           certificate in Puppet's ssldir.

       o   generate - Generate a new certificate signing request.: SYNOPSIS

           puppet  certificate  generate [--terminus _TERMINUS] [--extra HASH]
           --ca-location LOCATION [--dns-alt-names NAMES] host


           Generates and submits a certificate signing request (CSR)  for  the
           specified host. This CSR will then have to be signed by a user with
           the proper authorization on the certificate authority.

           Puppet agent usually handles  CSR  submission  automatically.  This
           action is primarily useful for requesting certificates for individ-
           ual users and external applications.

           OPTIONS --dns-alt-names NAMES - A comma-separated list of alternate
           DNS names for Puppet Server. These are extra hostnames (in addition
           to its certname) that the server is allowed  to  use  when  serving
           agents.  Puppet checks this setting when automatically requesting a
           certificate for Puppet agent or Puppet Server,  and  when  manually
           generating a certificate with puppet cert generate.

           In  order  to handle agent requests at a given hostname (like "pup-
           pet.example.com"), Puppet Server needs a  certificate  that  proves
           it's allowed to use that name; if a server shows a certificate that
           doesn't include its hostname, Puppet agents will  refuse  to  trust
           it.  If  you use a single hostname for Puppet traffic but load-bal-
           ance it to multiple Puppet Servers, each of those servers needs  to
           include the official hostname in its list of extra names.

           Note:  The  list  of alternate names is locked in when the server's
           certificate is signed. If you need to change the  list  later,  you
           can't just change this setting; you also need to:

       o   On the server: Stop Puppet Server.

       o   On  the  CA  server: Revoke and clean the server's old certificate.
           (puppet cert clean <NAME>)

       o   On the server: Delete the old certificate (and any old  certificate
           signing  requests) from the ssldir https://docs.puppetlabs.com/pup-

       o   On the server: Run puppet agent -t  --ca_server  <CA  HOSTNAME>  to
           request a new certificate

       o   On the CA server: Sign the certificate request, explicitly allowing
           alternate names (puppet cert sign --allow-dns-alt-names <NAME>).

       o   On the server: Run puppet agent -t  --ca_server  <CA  HOSTNAME>  to
           retrieve the cert.

       o   On the server: Start Puppet Server again.

       To see all the alternate names your servers are using, log into your CA
       server and run puppet cert list -a, then  check  the  output  for  (alt
       names: ...). Most agent nodes should NOT have alternate names; the only
       certs that should have them are Puppet Server nodes that you want other
       agents to trust.



       o   info - Print the default terminus class for this face.: SYNOPSIS

           puppet  certificate  info  [--terminus  _TERMINUS]  [--extra  HASH]
           --ca-location LOCATION


           Prints the default terminus class for this  subcommand.  Note  that
           different  run  modes  may  have different default termini; when in
           doubt, specify the run mode with the '--run_mode' option.

       o   list - List all certificate signing requests.: SYNOPSIS

           puppet  certificate  list  [--terminus  _TERMINUS]  [--extra  HASH]
           --ca-location LOCATION


           List all certificate signing requests.


           An  array  of #inspect output from CSR objects. This output is cur-
           rently messy, but does contain the names of nodes  requesting  cer-
           tificates. This action returns #inspect strings even when used from
           the Ruby API.

       o   sign - Sign a certificate signing request for HOST.: SYNOPSIS

           puppet  certificate  sign  [--terminus  _TERMINUS]  [--extra  HASH]
           --ca-location LOCATION [--[no-]allow-dns-alt-names] host


           Sign a certificate signing request for HOST.

           OPTIONS  --[no-]allow-dns-alt-names  - Whether or not to accept DNS
           alt names in the certificate request


           A string that appears to be (but isn't) an x509 certificate.


       Request a certificate for "somenode" from the site's CA:

       $ puppet  certificate  generate  somenode.puppetlabs.lan  --ca-location


       Sign somenode.puppetlabs.lan's certificate:

       $ puppet certificate sign somenode.puppetlabs.lan --ca-location remote

       See attributes(7) for descriptions of the following attributes:

       |Availability   | system/management/puppet |
       |Stability      | Volatile                 |
       This  subcommand  is  an  indirector  face, which exposes find, search,
       save, and destroy actions for an indirected subsystem of Puppet.  Valid
       termini for this face include:

       o   ca

       o   disabled_ca

       o   file

       o   rest

       Copyright 2011 by Puppet Inc. Apache 2 license; see COPYING

       This     software     was    built    from    source    available    at
       https://github.com/oracle/solaris-userland.   The  original   community
       source  was  downloaded  from  https://github.com/puppetlabs/puppet/ar-

       Further information about this software can be found on the open source
       community website at http://puppetlabs.com/.

Puppet, Inc.                      March 2018             PUPPET-CERTIFICATE(8)