1PUPPET-CA(8) Puppet manual PUPPET-CA(8)
2
6 puppet-ca - Local Puppet Certificate Authority management.
7
9 puppet ca action
10
12 This provides local management of the Puppet Certificate Authority.
13 You can use this subcommand to sign outstanding certificate requests,
15 list and manage local certificates, and inspect the state of the CA.
16
18 Note that any setting that´s valid in the configuration file is also a
19 valid long argument, although it may or may not be relevant to the
20 present action. For example, server and run_mode are valid settings, so
21 you can specify --server <servername>, or --run_mode <runmode> as an
22 argument.
23 See the configuration file documentation at https://pup‐
25 pet.com/docs/puppet/latest/configuration.html for the full list of
26 acceptable parameters. A commented list of all configuration options
27 can also be generated by running puppet with --genconfig.
28 --render-as FORMAT
30 The format in which to render output. The most common formats
31 are json, s (string), yaml, and console, but other options such
32 as dot are sometimes available.
33 --verbose
35 Whether to log verbosely.
36 --debug
38 Whether to log debug information.
39
41 · destroy - Destroy named certificate or pending certificate
42 request.: SYNOPSIS
43 puppet ca destroy
45 DESCRIPTION
47 Destroy named certificate or pending certificate request.
49 · fingerprint - Print the DIGEST (defaults to the signing algorithm)
51 fingerprint of a host´s certificate.: SYNOPSIS
52 puppet ca fingerprint [--digest ALGORITHM]
54 DESCRIPTION
56 Print the DIGEST (defaults to the signing algorithm) fingerprint of
58 a host´s certificate.
59 OPTIONS --digest ALGORITHM - The hash algorithm to use when dis‐
61 playing the fingerprint
62 · generate - Generate a certificate for a named client.: SYNOPSIS
64 puppet ca generate [--dns-alt-names NAMES]
66 DESCRIPTION
68 Generate a certificate for a named client.
70 OPTIONS --dns-alt-names NAMES - A comma-separated list of alternate
72 DNS names for Puppet Server. These are extra hostnames (in addition
73 to its certname) that the server is allowed to use when serving
74 agents. Puppet checks this setting when automatically requesting a
75 certificate for Puppet agent or Puppet Server, and when manually
76 generating a certificate with puppet cert generate. These can be
77 either IP or DNS, and the type should be specified and followed
78 with a colon. Untyped inputs will default to DNS.
79 In order to handle agent requests at a given hostname (like "pup‐
81 pet.example.com"), Puppet Server needs a certificate that proves
82 it´s allowed to use that name; if a server shows a certificate that
83 doesn´t include its hostname, Puppet agents will refuse to trust
84 it. If you use a single hostname for Puppet traffic but load-bal‐
85 ance it to multiple Puppet Servers, each of those servers needs to
86 include the official hostname in its list of extra names.
87 Note: The list of alternate names is locked in when the server´s
89 certificate is signed. If you need to change the list later, you
90 can´t just change this setting; you also need to:
91 · On the server: Stop Puppet Server.
93 · On the CA server: Revoke and clean the server´s old certificate.
95 (puppet cert clean <NAME>) (Note puppet cert clean is deprecated
96 and will be replaced with puppetserver ca clean in Puppet 6.)
97 · On the server: Delete the old certificate (and any old certificate
99 signing requests) from the ssldir https://puppet.com/docs/pup‐
100 pet/latest/dirs_ssldir.html.
101 · On the server: Run puppet agent -t --ca_server <CA HOSTNAME> to
103 request a new certificate
104 · On the CA server: Sign the certificate request, explicitly allowing
106 alternate names (puppet cert sign --allow-dns-alt-names <NAME>).
107 (Note puppet cert sign is deprecated and will be replaced with pup‐
108 petserver ca sign in Puppet 6.)
109 · On the server: Run puppet agent -t --ca_server <CA HOSTNAME> to
111 retrieve the cert.
112 · On the server: Start Puppet Server again.
114 To see all the alternate names your servers are using, log into your CA
118 server and run puppet cert list -a, then check the output for (alt
119 names: ...). Most agent nodes should NOT have alternate names; the only
120 certs that should have them are Puppet Server nodes that you want other
121 agents to trust.
122 · list - List certificates and/or certificate requests.: SYNOPSIS
124 puppet ca list [--[no-]all] [--[no-]pending] [--[no-]signed]
126 [--digest ALGORITHM] [--subject PATTERN]
127 DESCRIPTION
129 This will list the current certificates and certificate signing
131 requests in the Puppet CA. You will also get the fingerprint, and
132 any certificate verification failure reported.
133 OPTIONS --[no-]all - Include all certificates and requests.
135 --digest ALGORITHM - The hash algorithm to use when displaying the
137 fingerprint
138 --[no-]pending - Include pending certificate signing requests.
140 --[no-]signed - Include signed certificates.
142 --subject PATTERN - Only include certificates or requests where
144 subject matches PATTERN.
145 PATTERN is interpreted as a regular expression, allowing complex
147 filtering of the content.
148 · print - Print the full-text version of a host´s certificate.: SYN‐
150 OPSIS
151 puppet ca print
153 DESCRIPTION
155 Print the full-text version of a host´s certificate.
157 · revoke - Add certificate to certificate revocation list.: SYNOPSIS
159 puppet ca revoke
161 DESCRIPTION
163 Add certificate to certificate revocation list.
165 · sign - Sign an outstanding certificate request.: SYNOPSIS
167 puppet ca sign [--[no-]allow-dns-alt-names]
169 DESCRIPTION
171 Sign an outstanding certificate request.
173 OPTIONS --[no-]allow-dns-alt-names - Whether or not to accept DNS
175 alt names in the certificate request
176 · verify - Verify the named certificate against the local CA certifi‐
178 cate.: SYNOPSIS
179 puppet ca verify
181 DESCRIPTION
183 Verify the named certificate against the local CA certificate.
185
189 Copyright 2011 by Puppet Inc. Apache 2 license; see COPYING
190Puppet, Inc. January 2019 PUPPET-CA(8)