1PUPPET-CERT(8)                   Puppet manual                  PUPPET-CERT(8)
2
3
4

NAME

6       puppet-cert - Manage certificates and requests (Deprecated)
7

SYNOPSIS

9       Standalone  certificate  authority. Capable of generating certificates,
10       but mostly used for signing certificate requests from puppet clients.
11

USAGE

13       puppet cert action [-h|--help] [-V|--version]  [-d|--debug]  [-v|--ver‐
14       bose] [--digest digest] [host]
15

DESCRIPTION

17       Because  the  puppet master service defaults to not signing client cer‐
18       tificate requests, this script is  available  for  signing  outstanding
19       requests.  It  can be used to list outstanding requests and then either
20       sign them individually or sign all of them.
21

ACTIONS

23       Every action except ´list´ and ´generate´ requires a  hostname  to  act
24       on, unless the ´--all´ option is set.
25
26       The most important actions for day-to-day use are ´list´ and ´sign´.
27
28       clean  Revoke a host´s certificate (if applicable) and remove all files
29              related to that host from puppet cert´s storage. This is  useful
30              when  rebuilding  hosts,  since new certificate signing requests
31              will only be honored if puppet cert does not have a  copy  of  a
32              signed  certificate  for that host. If ´--all´ is specified then
33              all  host  certificates,  both  signed  and  unsigned,  will  be
34              removed.
35
36       fingerprint
37              Print the DIGEST (defaults to the signing algorithm) fingerprint
38              of a host´s certificate.
39
40       generate
41              Generate a certificate for a named client. A certificate/keypair
42              will be generated for each client named on the command line.
43
44       list   List  outstanding certificate requests. If ´--all´ is specified,
45              signed certificates  are  also  listed,  prefixed  by  ´+´,  and
46              revoked or invalid certificates are prefixed by ´-´ (the verifi‐
47              cation outcome is printed in parenthesis). If ´--human-readable´
48              or  ´-H´  is  specified,  certificates are formatted in a way to
49              improve human scan-ability. If ´--machine-readable´ or  ´-m´  is
50              specified,  output  is  formatted concisely for consumption by a
51              script.
52
53       print  Print the full-text version of a host´s certificate.
54
55       revoke Revoke the certificate of a client. The certificate can be spec‐
56              ified either by its serial number (given as a hexadecimal number
57              prefixed by ´0x´) or by its hostname. The certificate is revoked
58              by  adding  it  to  the Certificate Revocation List given by the
59              ´cacrl´ configuration option. Note that the puppet master  needs
60              to be restarted after revoking certificates.
61
62       sign   Sign  an  outstanding certificate request. If ´--interactive´ or
63              ´-i´ is supplied the user will be prompted to confirm that  they
64              are   signing   the   correct   certificate   (recommended).  If
65              ´--assume-yes´ or ´-y´ is supplied the interactive  prompt  will
66              assume the answer of ´yes´.
67
68       verify Verify the named certificate against the local CA certificate.
69
70       reinventory
71              Build an inventory of the issued certificates. This will destroy
72              the current inventory file  specified  by  ´cert_inventory´  and
73              recreate it from the certificates found in the ´certdir´. Ensure
74              the puppet master is stopped before running this action.
75

OPTIONS

77       Note that any setting that´s valid in the configuration file is also  a
78       valid  long  argument. For example, ´ssldir´ is a valid setting, so you
79       can specify ´--ssldir directory´ as an argument.
80
81       See   the   configuration   file    documentation    at    https://pup
82       pet.com/docs/puppet/latest/configuration.html  for  the  full  list  of
83       acceptable parameters. A commented list of  all  configuration  options
84       can also be generated by running puppet cert with ´--genconfig´.
85
86       --all  Operate  on  all  items.  Currently  only  makes  sense with the
87              ´sign´, ´list´, and ´fingerprint´ actions.
88
89       --allow-dns-alt-names
90              Sign a certificate request even  if  it  contains  one  or  more
91              alternate  DNS  names.  If  this option isn´t specified, ´puppet
92              cert sign´ will  ignore  any  requests  that  contain  alternate
93              names.
94
95              In  general,  ONLY  certs  intended  for  a Puppet master server
96              should include alternate DNS names, since Puppet agent relies on
97              those names for identifying its rightful server.
98
99              You  can  make Puppet agent request a certificate with alternate
100              names by setting ´dns_alt_names´ in  puppet.conf  or  specifying
101              ´--dns_alt_names´  on  the  command  line. The output of ´puppet
102              cert list´ shows any requested alt names for pending certificate
103              requests.
104
105       --allow-authorization-extensions
106              Enable  the  signing of a request with authorization extensions.
107              Such requests are sensitive because they can be  used  to  write
108              access rules in Puppet Server. Currently, this is the only means
109              by which such requests can be signed.
110
111       --digest
112              Set the digest for fingerprinting (defaults to the  digest  used
113              when signing the cert). Valid values depends on your openssl and
114              openssl ruby extension version.
115
116       --debug
117              Enable full debugging.
118
119       --help Print this help message
120
121       --verbose
122              Enable verbosity.
123
124       --version
125              Print the puppet version number and exit.
126

EXAMPLE

128       $ puppet cert list
129       culain.madstop.com
130       $ puppet cert sign culain.madstop.com
131

AUTHOR

133       Luke Kanies
134
136       Copyright (c) 2011 Puppet Inc.,  LLC  Licensed  under  the  Apache  2.0
137       License
138
139
140
141Puppet, Inc.                     January 2020                   PUPPET-CERT(8)
Impressum