NAME¶
puppet-certificate - Provide access to the CA for certificate management.
SYNOPSIS¶
puppet certificate
action [--terminus TERMINUS] [--extra HASH]
--ca-location LOCATION
DESCRIPTION¶
This subcommand interacts with a local or remote Puppet certificate authority.
Currently, its behavior is not a full superset of
puppet cert;
specifically, it is unable to mimic puppet cert´s "clean"
option, and its "generate" action submits a CSR rather than creating
a signed certificate.
OPTIONS¶
Note that any configuration parameter that´s valid in the configuration
file is also a valid long argument, although it may or may not be relevant to
the present action. For example,
server and
run_mode are valid
configuration parameters, so you can specify
--server
<servername>, or
--run_mode <runmode> as an argument.
See the configuration file documentation at
http://docs.puppetlabs.com/references/stable/configuration.html for the
full list of acceptable parameters. A commented list of all configuration
options can also be generated by running puppet with
--genconfig.
- --render-as FORMAT
- The format in which to render output. The most common formats are
json, s (string), yaml, and console, but other
options such as dot are sometimes available.
- --verbose
- Whether to log verbosely.
- --debug
- Whether to log debug information.
- --ca-location LOCATION
- Whether to act on the local certificate authority or one provided by a
remote puppet master. Allowed values are ´local´ and
´remote.´
- This option is required.
- --extra HASH
- A terminus can take additional arguments to refine the operation, which
are passed as an arbitrary hash to the back-end. Anything passed as the
extra value is just send direct to the back-end.
- --terminus TERMINUS
- Indirector faces expose indirected subsystems of Puppet. These subsystems
are each able to retrieve and alter a specific type of data (with the
familiar actions of find, search, save, and
destroy) from an arbitrary number of pluggable backends. In Puppet
parlance, these backends are called terminuses.
- Almost all indirected subsystems have a rest terminus that
interacts with the puppet master´s data. Most of them have
additional terminuses for various local data models, which are in turn
used by the indirected subsystem on the puppet master whenever it receives
a remote request.
- The terminus for an action is often determined by context, but
occasionally needs to be set explicitly. See the "Notes" section
of this face´s manpage for more details.
ACTIONS¶
- destroy - Delete a certificate.
- SYNOPSIS
- puppet certificate destroy [--terminus TERMINUS] [--extra HASH]
--ca-location LOCATION host
- DESCRIPTION
- Deletes a certificate. This action currently only works on the local
CA.
- RETURNS
- Nothing.
- find - Retrieve a certificate.
- SYNOPSIS
- puppet certificate find [--terminus TERMINUS] [--extra HASH]
--ca-location LOCATION host
- DESCRIPTION
- Retrieve a certificate.
- RETURNS
- An x509 SSL certificate.
- Note that this action has a side effect of caching a copy of the
certificate in Puppet´s ssldir.
- generate - Generate a new certificate signing request.
- SYNOPSIS
- puppet certificate generate [--terminus TERMINUS] [--extra HASH]
--ca-location LOCATION [--dns-alt-names NAMES] host
- DESCRIPTION
- Generates and submits a certificate signing request (CSR) for the
specified host. This CSR will then have to be signed by a user with the
proper authorization on the certificate authority.
- Puppet agent usually handles CSR submission automatically. This action is
primarily useful for requesting certificates for individual users and
external applications.
- OPTIONS --dns-alt-names NAMES - The comma-separated list of
alternative DNS names to use for the local host. When the node generates a
CSR for itself, these are added to the request as the desired
subjectAltName in the certificate: additional DNS labels that the
certificate is also valid answering as. This is generally required if you
use a non-hostname certname, or if you want to use puppet
kick or puppet resource -H and the primary certname does not
match the DNS name you use to communicate with the host. This is
unnecessary for agents, unless you intend to use them as a server for
puppet kick or remote puppet resource management. It is
rarely necessary for servers; it is usually helpful only if you need to
have a pool of multiple load balanced masters, or for the same master to
respond on two physically separate networks under different names.
- RETURNS
- Nothing.
- info - Print the default terminus class for this face.
- SYNOPSIS
- puppet certificate info [--terminus TERMINUS] [--extra HASH]
--ca-location LOCATION
- DESCRIPTION
- Prints the default terminus class for this subcommand. Note that different
run modes may have different default termini; when in doubt, specify the
run mode with the ´--run_mode´ option.
- list - List all certificate signing requests.
- SYNOPSIS
- puppet certificate list [--terminus TERMINUS] [--extra HASH]
--ca-location LOCATION
- DESCRIPTION
- List all certificate signing requests.
- RETURNS
- An array of #inspect output from CSR objects. This output is currently
messy, but does contain the names of nodes requesting certificates. This
action returns #inspect strings even when used from the Ruby API.
- save - Invalid for this subcommand.
- SYNOPSIS
- puppet certificate save [--terminus TERMINUS] [--extra HASH]
--ca-location LOCATION key
- DESCRIPTION
- Invalid for this subcommand.
- search - Invalid for this subcommand.
- SYNOPSIS
- puppet certificate search [--terminus TERMINUS] [--extra HASH]
--ca-location LOCATION query
- DESCRIPTION
- Invalid for this subcommand.
- sign - Sign a certificate signing request for HOST.
- SYNOPSIS
- puppet certificate sign [--terminus TERMINUS] [--extra HASH]
--ca-location LOCATION [--[no-]allow-dns-alt-names]
host
- DESCRIPTION
- Sign a certificate signing request for HOST.
- OPTIONS --[no-]allow-dns-alt-names - Whether or not to
accept DNS alt names in the certificate request
- RETURNS
- A string that appears to be (but isn´t) an x509 certificate.
EXAMPLES¶
generate
Request a certificate for "somenode" from the site´s CA:
$ puppet certificate generate somenode.puppetlabs.lan --ca-location remote
sign
Sign somenode.puppetlabs.lan´s certificate:
$ puppet certificate sign somenode.puppetlabs.lan --ca-location remote
NOTES¶
This subcommand is an indirector face, which exposes
find,
search,
save, and
destroy actions for an indirected subsystem of Puppet.
Valid termini for this face include:
- •
- ca
- •
- disabled_ca
- •
- file
- •
- rest
-
COPYRIGHT AND LICENSE¶
Copyright 2011 by Puppet Labs Apache 2 license; see COPYING