1
require 'puppet/application'
3
class Puppet::Application::Cert < Puppet::Application
8
attr_accessor :all, :ca, :digest, :signed
14
# Handle the nasty, legacy mapping of "clean" to "destroy".
16
@subcommand = (sub == :clean ? :destroy : sub)
19
option("--clean", "-c") do
20
self.subcommand = "destroy"
23
option("--all", "-a") do
27
option("--digest DIGEST") do |arg|
31
option("--signed", "-s") do
35
option("--debug", "-d") do |arg|
36
Puppet::Util::Log.level = :debug
39
require 'puppet/ssl/certificate_authority/interface'
40
Puppet::SSL::CertificateAuthority::Interface::INTERFACE_METHODS.reject {|m| m == :destroy }.each do |method|
41
option("--#{method}", "-#{method.to_s[0,1]}") do
42
self.subcommand = method
46
option("--verbose", "-v") do
47
Puppet::Util::Log.level = :info
53
puppet-cert(8) -- Manage certificates and requests
58
Standalone certificate authority. Capable of generating certificates,
59
but mostly used for signing certificate requests from puppet clients.
64
puppet cert <action> [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose]
65
[--digest <digest>] [<host>]
70
Because the puppet master service defaults to not signing client
71
certificate requests, this script is available for signing outstanding
72
requests. It can be used to list outstanding requests and then either
73
sign them individually or sign all of them.
78
Every action except 'list' and 'generate' requires a hostname to act on,
79
unless the '--all' option is set.
82
Revoke a host's certificate (if applicable) and remove all files
83
related to that host from puppet cert's storage. This is useful when
84
rebuilding hosts, since new certificate signing requests will only be
85
honored if puppet cert does not have a copy of a signed certificate
86
for that host. If '--all' is specified then all host certificates,
87
both signed and unsigned, will be removed.
90
Print the DIGEST (defaults to md5) fingerprint of a host's
94
Generate a certificate for a named client. A certificate/keypair will
95
be generated for each client named on the command line.
98
List outstanding certificate requests. If '--all' is specified, signed
99
certificates are also listed, prefixed by '+', and revoked or invalid
100
certificates are prefixed by '-' (the verification outcome is printed
104
Print the full-text version of a host's certificate.
107
Revoke the certificate of a client. The certificate can be specified
108
either by its serial number (given as a decimal number or a
109
hexadecimal number prefixed by '0x') or by its hostname. The
110
certificate is revoked by adding it to the Certificate Revocation List
111
given by the 'cacrl' configuration option. Note that the puppet master
112
needs to be restarted after revoking certificates.
115
Sign an outstanding certificate request.
118
Verify the named certificate against the local CA certificate.
123
Note that any configuration parameter that's valid in the configuration
124
file is also a valid long argument. For example, 'ssldir' is a valid
125
configuration parameter, so you can specify '--ssldir <directory>' as an
128
See the configuration file documentation at
129
http://docs.puppetlabs.com/references/stable/configuration.html for the
130
full list of acceptable parameters. A commented list of all
131
configuration options can also be generated by running puppet cert with
135
Operate on all items. Currently only makes sense with the 'sign',
136
'clean', 'list', and 'fingerprint' actions.
139
Set the digest for fingerprinting (defaults to md5). Valid values
140
depends on your openssl and openssl ruby extension version, but should
141
contain at least md5, sha1, md2, sha256.
144
Enable full debugging.
147
Print this help message
153
Print the puppet version number and exit.
160
$ puppet cert sign culain.madstop.com
170
Copyright (c) 2011 Puppet Labs, LLC Licensed under the Apache 2.0 License
181
hosts = command_line.args.collect { |h| h.downcase }
184
@ca.apply(:revoke, :to => hosts) if subcommand == :destroy
185
@ca.apply(subcommand, :to => hosts, :digest => @digest)
187
puts detail.backtrace if Puppet[:trace]
194
require 'puppet/ssl/certificate_authority'
195
exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?
197
Puppet::Util::Log.newdestination :console
199
if [:generate, :destroy].include? subcommand
200
Puppet::SSL::Host.ca_location = :local
202
Puppet::SSL::Host.ca_location = :only
206
@ca = Puppet::SSL::CertificateAuthority.new
208
puts detail.backtrace if Puppet[:trace]
215
# handle the bareword subcommand pattern.
217
unless self.subcommand then
218
if sub = self.command_line.args.shift then
219
self.subcommand = sub