1PUPPET-CERT(8) Puppet manual PUPPET-CERT(8)
2
3
4
6 puppet-cert - Manage certificates and requests (Deprecated)
7
9 Standalone certificate authority. Capable of generating certificates,
10 but mostly used for signing certificate requests from puppet clients.
11
13 puppet cert action [-h|--help] [-V|--version] [-d|--debug] [-v|--ver‐
14 bose] [--digest digest] [host]
15
17 Because the puppet master service defaults to not signing client cer‐
18 tificate requests, this script is available for signing outstanding
19 requests. It can be used to list outstanding requests and then either
20 sign them individually or sign all of them.
21
23 Every action except ´list´ and ´generate´ requires a hostname to act
24 on, unless the ´--all´ option is set.
25
26 The most important actions for day-to-day use are ´list´ and ´sign´.
27
28 clean Revoke a host´s certificate (if applicable) and remove all files
29 related to that host from puppet cert´s storage. This is useful
30 when rebuilding hosts, since new certificate signing requests
31 will only be honored if puppet cert does not have a copy of a
32 signed certificate for that host. If ´--all´ is specified then
33 all host certificates, both signed and unsigned, will be
34 removed.
35
36 fingerprint
37 Print the DIGEST (defaults to the signing algorithm) fingerprint
38 of a host´s certificate.
39
40 generate
41 Generate a certificate for a named client. A certificate/keypair
42 will be generated for each client named on the command line.
43
44 list List outstanding certificate requests. If ´--all´ is specified,
45 signed certificates are also listed, prefixed by ´+´, and
46 revoked or invalid certificates are prefixed by ´-´ (the verifi‐
47 cation outcome is printed in parenthesis). If ´--human-readable´
48 or ´-H´ is specified, certificates are formatted in a way to
49 improve human scan-ability. If ´--machine-readable´ or ´-m´ is
50 specified, output is formatted concisely for consumption by a
51 script.
52
53 print Print the full-text version of a host´s certificate.
54
55 revoke Revoke the certificate of a client. The certificate can be spec‐
56 ified either by its serial number (given as a hexadecimal number
57 prefixed by ´0x´) or by its hostname. The certificate is revoked
58 by adding it to the Certificate Revocation List given by the
59 ´cacrl´ configuration option. Note that the puppet master needs
60 to be restarted after revoking certificates.
61
62 sign Sign an outstanding certificate request. If ´--interactive´ or
63 ´-i´ is supplied the user will be prompted to confirm that they
64 are signing the correct certificate (recommended). If
65 ´--assume-yes´ or ´-y´ is supplied the interactive prompt will
66 assume the answer of ´yes´.
67
68 verify Verify the named certificate against the local CA certificate.
69
70 reinventory
71 Build an inventory of the issued certificates. This will destroy
72 the current inventory file specified by ´cert_inventory´ and
73 recreate it from the certificates found in the ´certdir´. Ensure
74 the puppet master is stopped before running this action.
75
77 Note that any setting that´s valid in the configuration file is also a
78 valid long argument. For example, ´ssldir´ is a valid setting, so you
79 can specify ´--ssldir directory´ as an argument.
80
81 See the configuration file documentation at https://pup‐
82 pet.com/docs/puppet/latest/configuration.html for the full list of
83 acceptable parameters. A commented list of all configuration options
84 can also be generated by running puppet cert with ´--genconfig´.
85
86 --all Operate on all items. Currently only makes sense with the
87 ´sign´, ´list´, and ´fingerprint´ actions.
88
89 --allow-dns-alt-names
90 Sign a certificate request even if it contains one or more
91 alternate DNS names. If this option isn´t specified, ´puppet
92 cert sign´ will ignore any requests that contain alternate
93 names.
94
95 In general, ONLY certs intended for a Puppet master server
96 should include alternate DNS names, since Puppet agent relies on
97 those names for identifying its rightful server.
98
99 You can make Puppet agent request a certificate with alternate
100 names by setting ´dns_alt_names´ in puppet.conf or specifying
101 ´--dns_alt_names´ on the command line. The output of ´puppet
102 cert list´ shows any requested alt names for pending certificate
103 requests.
104
105 --allow-authorization-extensions
106 Enable the signing of a request with authorization extensions.
107 Such requests are sensitive because they can be used to write
108 access rules in Puppet Server. Currently, this is the only means
109 by which such requests can be signed.
110
111 --digest
112 Set the digest for fingerprinting (defaults to the digest used
113 when signing the cert). Valid values depends on your openssl and
114 openssl ruby extension version.
115
116 --debug
117 Enable full debugging.
118
119 --help Print this help message
120
121 --verbose
122 Enable verbosity.
123
124 --version
125 Print the puppet version number and exit.
126
128 $ puppet cert list
129 culain.madstop.com
130 $ puppet cert sign culain.madstop.com
131
133 Luke Kanies
134
136 Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0
137 License
138
139
140
141Puppet, Inc. January 2020 PUPPET-CERT(8)