.\" generated with Ronn-NG/v0.9.1 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1 .TH "PUPPET\-CA" "8" "January 2022" "Puppet, Inc." "Puppet manual" .SH "NAME" \fBpuppet\-ca\fR \- Local Puppet Certificate Authority management\. .SH "SYNOPSIS" puppet ca \fIaction\fR .SH "DESCRIPTION" This provides local management of the Puppet Certificate Authority\. .P You can use this subcommand to sign outstanding certificate requests, list and manage local certificates, and inspect the state of the CA\. .SH "OPTIONS" Note that any setting that's valid in the configuration file is also a valid long argument, although it may or may not be relevant to the present action\. For example, \fBserver\fR and \fBrun_mode\fR are valid settings, so you can specify \fB\-\-server \fR, or \fB\-\-run_mode \fR as an argument\. .P See the configuration file documentation at \fIhttps://puppet\.com/docs/puppet/latest/configuration\.html\fR for the full list of acceptable parameters\. A commented list of all configuration options can also be generated by running puppet with \fB\-\-genconfig\fR\. .TP \-\-render\-as FORMAT The format in which to render output\. The most common formats are \fBjson\fR, \fBs\fR (string), \fByaml\fR, and \fBconsole\fR, but other options such as \fBdot\fR are sometimes available\. .TP \-\-verbose Whether to log verbosely\. .TP \-\-debug Whether to log debug information\. .SH "ACTIONS" .IP "\[ci]" 4 \fBdestroy\fR \- Destroy named certificate or pending certificate request\.: \fBSYNOPSIS\fR .IP puppet ca destroy .IP \fBDESCRIPTION\fR .IP Destroy named certificate or pending certificate request\. .IP "\[ci]" 4 \fBfingerprint\fR \- Print the DIGEST (defaults to the signing algorithm) fingerprint of a host's certificate\.: \fBSYNOPSIS\fR .IP puppet ca fingerprint [\-\-digest ALGORITHM] .IP \fBDESCRIPTION\fR .IP Print the DIGEST (defaults to the signing algorithm) fingerprint of a host's certificate\. .IP \fBOPTIONS\fR \fI\-\-digest ALGORITHM\fR \- The hash algorithm to use when displaying the fingerprint .IP "\[ci]" 4 \fBgenerate\fR \- Generate a certificate for a named client\.: \fBSYNOPSIS\fR .IP puppet ca generate [\-\-dns\-alt\-names NAMES] .IP \fBDESCRIPTION\fR .IP Generate a certificate for a named client\. .IP \fBOPTIONS\fR \fI\-\-dns\-alt\-names NAMES\fR \- A comma\-separated list of alternate DNS names for Puppet Server\. These are extra hostnames (in addition to its \fBcertname\fR) that the server is allowed to use when serving agents\. Puppet checks this setting when automatically requesting a certificate for Puppet agent or Puppet Server, and when manually generating a certificate with \fBpuppet cert generate\fR\. These can be either IP or DNS, and the type should be specified and followed with a colon\. Untyped inputs will default to DNS\. .IP In order to handle agent requests at a given hostname (like "puppet\.example\.com"), Puppet Server needs a certificate that proves it's allowed to use that name; if a server shows a certificate that doesn't include its hostname, Puppet agents will refuse to trust it\. If you use a single hostname for Puppet traffic but load\-balance it to multiple Puppet Servers, each of those servers needs to include the official hostname in its list of extra names\. .IP \fBNote:\fR The list of alternate names is locked in when the server's certificate is signed\. If you need to change the list later, you can't just change this setting; you also need to: .IP "\[ci]" 4 On the server: Stop Puppet Server\. .IP "\[ci]" 4 On the CA server: Revoke and clean the server's old certificate\. (\fBpuppet cert clean \fR) (Note \fBpuppet cert clean\fR is deprecated and will be replaced with \fBpuppetserver ca clean\fR in Puppet 6\.) .IP "\[ci]" 4 On the server: Delete the old certificate (and any old certificate signing requests) from the ssldir \fIhttps://puppet\.com/docs/puppet/latest/dirs_ssldir\.html\fR\. .IP "\[ci]" 4 On the server: Run \fBpuppet agent \-t \-\-ca_server \fR to request a new certificate .IP "\[ci]" 4 On the CA server: Sign the certificate request, explicitly allowing alternate names (\fBpuppet cert sign \-\-allow\-dns\-alt\-names \fR)\. (Note \fBpuppet cert sign\fR is deprecated and will be replaced with \fBpuppetserver ca sign\fR in Puppet 6\.) .IP "\[ci]" 4 On the server: Run \fBpuppet agent \-t \-\-ca_server \fR to retrieve the cert\. .IP "\[ci]" 4 On the server: Start Puppet Server again\. .IP "" 0 .IP To see all the alternate names your servers are using, log into your CA server and run \fBpuppet cert list \-a\fR, then check the output for \fB(alt names: \|\.\|\.\|\.)\fR\. Most agent nodes should NOT have alternate names; the only certs that should have them are Puppet Server nodes that you want other agents to trust\. .IP "\[ci]" 4 \fBlist\fR \- List certificates and/or certificate requests\.: \fBSYNOPSIS\fR .IP puppet ca list [\-\-[no\-]all] [\-\-[no\-]pending] [\-\-[no\-]signed] [\-\-digest ALGORITHM] [\-\-subject PATTERN] .IP \fBDESCRIPTION\fR .IP This will list the current certificates and certificate signing requests in the Puppet CA\. You will also get the fingerprint, and any certificate verification failure reported\. .IP \fBOPTIONS\fR \fI\-\-[no\-]all\fR \- Include all certificates and requests\. .IP \fI\-\-digest ALGORITHM\fR \- The hash algorithm to use when displaying the fingerprint .IP \fI\-\-[no\-]pending\fR \- Include pending certificate signing requests\. .IP \fI\-\-[no\-]signed\fR \- Include signed certificates\. .IP \fI\-\-subject PATTERN\fR \- Only include certificates or requests where subject matches PATTERN\. .IP PATTERN is interpreted as a regular expression, allowing complex filtering of the content\. .IP "\[ci]" 4 \fBprint\fR \- Print the full\-text version of a host's certificate\.: \fBSYNOPSIS\fR .IP puppet ca print .IP \fBDESCRIPTION\fR .IP Print the full\-text version of a host's certificate\. .IP "\[ci]" 4 \fBrevoke\fR \- Add certificate to certificate revocation list\.: \fBSYNOPSIS\fR .IP puppet ca revoke .IP \fBDESCRIPTION\fR .IP Add certificate to certificate revocation list\. .IP "\[ci]" 4 \fBsign\fR \- Sign an outstanding certificate request\.: \fBSYNOPSIS\fR .IP puppet ca sign [\-\-[no\-]allow\-dns\-alt\-names] .IP \fBDESCRIPTION\fR .IP Sign an outstanding certificate request\. .IP \fBOPTIONS\fR \fI\-\-[no\-]allow\-dns\-alt\-names\fR \- Whether or not to accept DNS alt names in the certificate request .IP "\[ci]" 4 \fBverify\fR \- Verify the named certificate against the local CA certificate\.: \fBSYNOPSIS\fR .IP puppet ca verify .IP \fBDESCRIPTION\fR .IP Verify the named certificate against the local CA certificate\. .IP "" 0 .SH "COPYRIGHT AND LICENSE" Copyright 2011 by Puppet Inc\. Apache 2 license; see COPYING