NAME¶
puppet-certificate - Provide access to the CA for certificate management.
SYNOPSIS¶
puppet certificate
action [--terminus TERMINUS] [--extra HASH]
--ca-location LOCATION
DESCRIPTION¶
This subcommand interacts with a local or remote Puppet certificate authority.
Currently, its behavior is not a full superset of
puppet cert;
specifically, it is unable to mimic puppet cert´s "clean"
option, and its "generate" action submits a CSR rather than creating
a signed certificate.
OPTIONS¶
Note that any configuration parameter that´s valid in the configuration
file is also a valid long argument, although it may or may not be relevant to
the present action. For example,
server and
run_mode are valid
configuration parameters, so you can specify
--server
<servername>, or
--run_mode <runmode> as an argument.
See the configuration file documentation at
http://docs.puppetlabs.com/references/stable/configuration.html for the
full list of acceptable parameters. A commented list of all configuration
options can also be generated by running puppet with
--genconfig.
- --render-as FORMAT
- The format in which to render output. The most common
formats are json, s (string), yaml, and
console, but other options such as dot are sometimes
available.
- --verbose
- Whether to log verbosely.
- --debug
- Whether to log debug information.
- --ca-location LOCATION
- Whether to act on the local certificate authority or one
provided by a remote puppet master. Allowed values are ´local´
and ´remote.´
- This option is required.
- --extra HASH
- A terminus can take additional arguments to refine the
operation, which are passed as an arbitrary hash to the back-end. Anything
passed as the extra value is just send direct to the back-end.
- --terminus TERMINUS
- Indirector faces expose indirected subsystems of Puppet.
These subsystems are each able to retrieve and alter a specific type of
data (with the familiar actions of find, search,
save, and destroy) from an arbitrary number of pluggable
backends. In Puppet parlance, these backends are called terminuses.
- Almost all indirected subsystems have a rest
terminus that interacts with the puppet master´s data. Most of them
have additional terminuses for various local data models, which are in
turn used by the indirected subsystem on the puppet master whenever it
receives a remote request.
- The terminus for an action is often determined by context,
but occasionally needs to be set explicitly. See the "Notes"
section of this face´s manpage for more details.
ACTIONS¶
- destroy - Delete a certificate.
- SYNOPSIS
- puppet certificate destroy [--terminus TERMINUS] [--extra
HASH] --ca-location LOCATION host
- DESCRIPTION
- Deletes a certificate. This action currently only works on
the local CA.
- RETURNS
- Nothing.
- find - Retrieve a certificate.
- SYNOPSIS
- puppet certificate find [--terminus TERMINUS] [--extra
HASH] --ca-location LOCATION host
- DESCRIPTION
- Retrieve a certificate.
- RETURNS
- An x509 SSL certificate.
- Note that this action has a side effect of caching a copy
of the certificate in Puppet´s ssldir.
- generate - Generate a new certificate signing
request.
- SYNOPSIS
- puppet certificate generate [--terminus TERMINUS] [--extra
HASH] --ca-location LOCATION [--dns-alt-names NAMES]
host
- DESCRIPTION
- Generates and submits a certificate signing request (CSR)
for the specified host. This CSR will then have to be signed by a user
with the proper authorization on the certificate authority.
- Puppet agent usually handles CSR submission automatically.
This action is primarily useful for requesting certificates for individual
users and external applications.
- OPTIONS --dns-alt-names NAMES - The
comma-separated list of alternative DNS names to use for the local host.
When the node generates a CSR for itself, these are added to the request
as the desired subjectAltName in the certificate: additional DNS
labels that the certificate is also valid answering as. This is generally
required if you use a non-hostname certname, or if you want to use
puppet kick or puppet resource -H and the primary certname
does not match the DNS name you use to communicate with the host. This is
unnecessary for agents, unless you intend to use them as a server for
puppet kick or remote puppet resource management. It is
rarely necessary for servers; it is usually helpful only if you need to
have a pool of multiple load balanced masters, or for the same master to
respond on two physically separate networks under different names.
- RETURNS
- Nothing.
- info - Print the default terminus class for this
face.
- SYNOPSIS
- puppet certificate info [--terminus TERMINUS] [--extra
HASH] --ca-location LOCATION
- DESCRIPTION
- Prints the default terminus class for this subcommand. Note
that different run modes may have different default termini; when in
doubt, specify the run mode with the ´--run_mode´ option.
- list - List all certificate signing requests.
- SYNOPSIS
- puppet certificate list [--terminus TERMINUS] [--extra
HASH] --ca-location LOCATION
- DESCRIPTION
- List all certificate signing requests.
- RETURNS
- An array of #inspect output from CSR objects. This output
is currently messy, but does contain the names of nodes requesting
certificates. This action returns #inspect strings even when used from the
Ruby API.
- save - Invalid for this subcommand.
- SYNOPSIS
- puppet certificate save [--terminus TERMINUS] [--extra
HASH] --ca-location LOCATION key
- DESCRIPTION
- Invalid for this subcommand.
- search - Invalid for this subcommand.
- SYNOPSIS
- puppet certificate search [--terminus TERMINUS] [--extra
HASH] --ca-location LOCATION query
- DESCRIPTION
- Invalid for this subcommand.
- sign - Sign a certificate signing request for
HOST.
- SYNOPSIS
- puppet certificate sign [--terminus TERMINUS] [--extra
HASH] --ca-location LOCATION [--[no-]allow-dns-alt-names]
host
- DESCRIPTION
- Sign a certificate signing request for HOST.
- OPTIONS --[no-]allow-dns-alt-names - Whether
or not to accept DNS alt names in the certificate request
- RETURNS
- A string that appears to be (but isn´t) an x509
certificate.
EXAMPLES¶
generate
Request a certificate for "somenode" from the site´s CA:
$ puppet certificate generate somenode.puppetlabs.lan --ca-location remote
sign
Sign somenode.puppetlabs.lan´s certificate:
$ puppet certificate sign somenode.puppetlabs.lan --ca-location remote
NOTES¶
This subcommand is an indirector face, which exposes
find,
search,
save, and
destroy actions for an indirected subsystem of Puppet.
Valid termini for this face include:
- •
- ca
- •
- disabled_ca
- •
- file
- •
- rest
-
COPYRIGHT AND LICENSE¶
Copyright 2011 by Puppet Labs Apache 2 license; see COPYING