1PUPPET-CA(8)                     Puppet manual                    PUPPET-CA(8)
2
3
4

NAME

6       puppet-ca - Local Puppet Certificate Authority management.
7

SYNOPSIS

9       puppet ca action
10

DESCRIPTION

12       This provides local management of the Puppet Certificate Authority.
13
14       You  can  use this subcommand to sign outstanding certificate requests,
15       list and manage local certificates, and inspect the state of the CA.
16

OPTIONS

18       Note that any setting that´s valid in the configuration file is also  a
19       valid  long  argument,  although  it  may or may not be relevant to the
20       present action. For example, server and run_mode are valid settings, so
21       you  can  specify  --server <servername>, or --run_mode <runmode> as an
22       argument.
23
24       See   the   configuration   file    documentation    at    https://pup
25       pet.com/docs/puppet/latest/configuration.html  for  the  full  list  of
26       acceptable parameters. A commented list of  all  configuration  options
27       can also be generated by running puppet with --genconfig.
28
29       --render-as FORMAT
30              The  format  in  which to render output. The most common formats
31              are json, s (string), yaml, and console, but other options  such
32              as dot are sometimes available.
33
34       --verbose
35              Whether to log verbosely.
36
37       --debug
38              Whether to log debug information.
39

ACTIONS

41       ·   destroy   -   Destroy  named  certificate  or  pending  certificate
42           request.: SYNOPSIS
43
44           puppet ca destroy
45
46           DESCRIPTION
47
48           Destroy named certificate or pending certificate request.
49
50       ·   fingerprint - Print the DIGEST (defaults to the signing  algorithm)
51           fingerprint of a host´s certificate.: SYNOPSIS
52
53           puppet ca fingerprint [--digest ALGORITHM]
54
55           DESCRIPTION
56
57           Print the DIGEST (defaults to the signing algorithm) fingerprint of
58           a host´s certificate.
59
60           OPTIONS --digest ALGORITHM - The hash algorithm to  use  when  dis‐
61           playing the fingerprint
62
63       ·   generate - Generate a certificate for a named client.: SYNOPSIS
64
65           puppet ca generate [--dns-alt-names NAMES]
66
67           DESCRIPTION
68
69           Generate a certificate for a named client.
70
71           OPTIONS --dns-alt-names NAMES - A comma-separated list of alternate
72           DNS names for Puppet Server. These are extra hostnames (in addition
73           to  its  certname)  that  the server is allowed to use when serving
74           agents. Puppet checks this setting when automatically requesting  a
75           certificate  for  Puppet  agent or Puppet Server, and when manually
76           generating a certificate with puppet cert generate.  These  can  be
77           either  IP  or  DNS,  and the type should be specified and followed
78           with a colon. Untyped inputs will default to DNS.
79
80           In order to handle agent requests at a given hostname  (like  "pup‐
81           pet.example.com"),  Puppet  Server  needs a certificate that proves
82           it´s allowed to use that name; if a server shows a certificate that
83           doesn´t  include  its  hostname, Puppet agents will refuse to trust
84           it. If you use a single hostname for Puppet traffic  but  load-bal‐
85           ance  it to multiple Puppet Servers, each of those servers needs to
86           include the official hostname in its list of extra names.
87
88           Note: The list of alternate names is locked in  when  the  server´s
89           certificate  is  signed.  If you need to change the list later, you
90           can´t just change this setting; you also need to:
91
92       ·   On the server: Stop Puppet Server.
93
94       ·   On the CA server: Revoke and clean the  server´s  old  certificate.
95           (puppet  cert  clean  <NAME>) (Note puppet cert clean is deprecated
96           and will be replaced with puppetserver ca clean in Puppet 6.)
97
98       ·   On the server: Delete the old certificate (and any old  certificate
99           signing  requests)  from  the  ssldir  https://puppet.com/docs/pup
100           pet/latest/dirs_ssldir.html.
101
102       ·   On the server: Run puppet agent -t  --ca_server  <CA  HOSTNAME>  to
103           request a new certificate
104
105       ·   On the CA server: Sign the certificate request, explicitly allowing
106           alternate names (puppet cert  sign  --allow-dns-alt-names  <NAME>).
107           (Note puppet cert sign is deprecated and will be replaced with pup‐
108           petserver ca sign in Puppet 6.)
109
110       ·   On the server: Run puppet agent -t  --ca_server  <CA  HOSTNAME>  to
111           retrieve the cert.
112
113       ·   On the server: Start Puppet Server again.
114
115
116
117       To see all the alternate names your servers are using, log into your CA
118       server and run puppet cert list -a, then  check  the  output  for  (alt
119       names: ...). Most agent nodes should NOT have alternate names; the only
120       certs that should have them are Puppet Server nodes that you want other
121       agents to trust.
122
123       ·   list - List certificates and/or certificate requests.: SYNOPSIS
124
125           puppet   ca   list  [--[no-]all]  [--[no-]pending]  [--[no-]signed]
126           [--digest ALGORITHM] [--subject PATTERN]
127
128           DESCRIPTION
129
130           This will list the current  certificates  and  certificate  signing
131           requests  in  the Puppet CA. You will also get the fingerprint, and
132           any certificate verification failure reported.
133
134           OPTIONS --[no-]all - Include all certificates and requests.
135
136           --digest ALGORITHM - The hash algorithm to use when displaying  the
137           fingerprint
138
139           --[no-]pending - Include pending certificate signing requests.
140
141           --[no-]signed - Include signed certificates.
142
143           --subject  PATTERN  -  Only  include certificates or requests where
144           subject matches PATTERN.
145
146           PATTERN is interpreted as a regular  expression,  allowing  complex
147           filtering of the content.
148
149       ·   print  - Print the full-text version of a host´s certificate.: SYN‐
150           OPSIS
151
152           puppet ca print
153
154           DESCRIPTION
155
156           Print the full-text version of a host´s certificate.
157
158       ·   revoke - Add certificate to certificate revocation list.: SYNOPSIS
159
160           puppet ca revoke
161
162           DESCRIPTION
163
164           Add certificate to certificate revocation list.
165
166       ·   sign - Sign an outstanding certificate request.: SYNOPSIS
167
168           puppet ca sign [--[no-]allow-dns-alt-names]
169
170           DESCRIPTION
171
172           Sign an outstanding certificate request.
173
174           OPTIONS --[no-]allow-dns-alt-names - Whether or not to  accept  DNS
175           alt names in the certificate request
176
177       ·   verify - Verify the named certificate against the local CA certifi‐
178           cate.: SYNOPSIS
179
180           puppet ca verify
181
182           DESCRIPTION
183
184           Verify the named certificate against the local CA certificate.
185
186
187
189       Copyright 2011 by Puppet Inc. Apache 2 license; see COPYING
190
191
192
193Puppet, Inc.                      April 2020                      PUPPET-CA(8)
Impressum