1PUPPET-CA(8) Puppet manual PUPPET-CA(8)
2
3
4
6 puppet-ca - Local Puppet Certificate Authority management.
7
9 puppet ca action
10
12 This provides local management of the Puppet Certificate Authority.
13
14 You can use this subcommand to sign outstanding certificate requests,
15 list and manage local certificates, and inspect the state of the CA.
16
18 Note that any setting that´s valid in the configuration file is also a
19 valid long argument, although it may or may not be relevant to the
20 present action. For example, server and run_mode are valid settings, so
21 you can specify --server <servername>, or --run_mode <runmode> as an
22 argument.
23
24 See the configuration file documentation at https://pup‐
25 pet.com/docs/puppet/latest/configuration.html for the full list of
26 acceptable parameters. A commented list of all configuration options
27 can also be generated by running puppet with --genconfig.
28
29 --render-as FORMAT
30 The format in which to render output. The most common formats
31 are json, s (string), yaml, and console, but other options such
32 as dot are sometimes available.
33
34 --verbose
35 Whether to log verbosely.
36
37 --debug
38 Whether to log debug information.
39
41 · destroy - Destroy named certificate or pending certificate
42 request.: SYNOPSIS
43
44 puppet ca destroy
45
46 DESCRIPTION
47
48 Destroy named certificate or pending certificate request.
49
50 · fingerprint - Print the DIGEST (defaults to the signing algorithm)
51 fingerprint of a host´s certificate.: SYNOPSIS
52
53 puppet ca fingerprint [--digest ALGORITHM]
54
55 DESCRIPTION
56
57 Print the DIGEST (defaults to the signing algorithm) fingerprint of
58 a host´s certificate.
59
60 OPTIONS --digest ALGORITHM - The hash algorithm to use when dis‐
61 playing the fingerprint
62
63 · generate - Generate a certificate for a named client.: SYNOPSIS
64
65 puppet ca generate [--dns-alt-names NAMES]
66
67 DESCRIPTION
68
69 Generate a certificate for a named client.
70
71 OPTIONS --dns-alt-names NAMES - A comma-separated list of alternate
72 DNS names for Puppet Server. These are extra hostnames (in addition
73 to its certname) that the server is allowed to use when serving
74 agents. Puppet checks this setting when automatically requesting a
75 certificate for Puppet agent or Puppet Server, and when manually
76 generating a certificate with puppet cert generate. These can be
77 either IP or DNS, and the type should be specified and followed
78 with a colon. Untyped inputs will default to DNS.
79
80 In order to handle agent requests at a given hostname (like "pup‐
81 pet.example.com"), Puppet Server needs a certificate that proves
82 it´s allowed to use that name; if a server shows a certificate that
83 doesn´t include its hostname, Puppet agents will refuse to trust
84 it. If you use a single hostname for Puppet traffic but load-bal‐
85 ance it to multiple Puppet Servers, each of those servers needs to
86 include the official hostname in its list of extra names.
87
88 Note: The list of alternate names is locked in when the server´s
89 certificate is signed. If you need to change the list later, you
90 can´t just change this setting; you also need to:
91
92 · On the server: Stop Puppet Server.
93
94 · On the CA server: Revoke and clean the server´s old certificate.
95 (puppet cert clean <NAME>) (Note puppet cert clean is deprecated
96 and will be replaced with puppetserver ca clean in Puppet 6.)
97
98 · On the server: Delete the old certificate (and any old certificate
99 signing requests) from the ssldir https://puppet.com/docs/pup‐
100 pet/latest/dirs_ssldir.html.
101
102 · On the server: Run puppet agent -t --ca_server <CA HOSTNAME> to
103 request a new certificate
104
105 · On the CA server: Sign the certificate request, explicitly allowing
106 alternate names (puppet cert sign --allow-dns-alt-names <NAME>).
107 (Note puppet cert sign is deprecated and will be replaced with pup‐
108 petserver ca sign in Puppet 6.)
109
110 · On the server: Run puppet agent -t --ca_server <CA HOSTNAME> to
111 retrieve the cert.
112
113 · On the server: Start Puppet Server again.
114
115
116
117 To see all the alternate names your servers are using, log into your CA
118 server and run puppet cert list -a, then check the output for (alt
119 names: ...). Most agent nodes should NOT have alternate names; the only
120 certs that should have them are Puppet Server nodes that you want other
121 agents to trust.
122
123 · list - List certificates and/or certificate requests.: SYNOPSIS
124
125 puppet ca list [--[no-]all] [--[no-]pending] [--[no-]signed]
126 [--digest ALGORITHM] [--subject PATTERN]
127
128 DESCRIPTION
129
130 This will list the current certificates and certificate signing
131 requests in the Puppet CA. You will also get the fingerprint, and
132 any certificate verification failure reported.
133
134 OPTIONS --[no-]all - Include all certificates and requests.
135
136 --digest ALGORITHM - The hash algorithm to use when displaying the
137 fingerprint
138
139 --[no-]pending - Include pending certificate signing requests.
140
141 --[no-]signed - Include signed certificates.
142
143 --subject PATTERN - Only include certificates or requests where
144 subject matches PATTERN.
145
146 PATTERN is interpreted as a regular expression, allowing complex
147 filtering of the content.
148
149 · print - Print the full-text version of a host´s certificate.: SYN‐
150 OPSIS
151
152 puppet ca print
153
154 DESCRIPTION
155
156 Print the full-text version of a host´s certificate.
157
158 · revoke - Add certificate to certificate revocation list.: SYNOPSIS
159
160 puppet ca revoke
161
162 DESCRIPTION
163
164 Add certificate to certificate revocation list.
165
166 · sign - Sign an outstanding certificate request.: SYNOPSIS
167
168 puppet ca sign [--[no-]allow-dns-alt-names]
169
170 DESCRIPTION
171
172 Sign an outstanding certificate request.
173
174 OPTIONS --[no-]allow-dns-alt-names - Whether or not to accept DNS
175 alt names in the certificate request
176
177 · verify - Verify the named certificate against the local CA certifi‐
178 cate.: SYNOPSIS
179
180 puppet ca verify
181
182 DESCRIPTION
183
184 Verify the named certificate against the local CA certificate.
185
186
187
189 Copyright 2011 by Puppet Inc. Apache 2 license; see COPYING
190
191
192
193Puppet, Inc. January 2020 PUPPET-CA(8)