Provided by: puppet_5.5.22-4ubuntu2_all bug


       puppet-certificate - Provide access to the CA for certificate management.


       puppet certificate action [--terminus _TERMINUS] [--extra HASH] --ca-location LOCATION


       This  subcommand interacts with a local or remote Puppet certificate authority. Currently,
       its behavior is not a full superset of puppet cert; specifically, it is  unable  to  mimic
       puppet cert's "clean" option, and its "generate" action submits a CSR rather than creating
       a signed certificate.


       Note that any setting that's valid  in  the  configuration  file  is  also  a  valid  long
       argument,  although  it  may  or  may  not be relevant to the present action. For example,
       server and run_mode are valid settings, so  you  can  specify  --server  <servername>,  or
       --run_mode <runmode> as an argument.

       See           the           configuration          file          documentation          at for the full list  of  acceptable
       parameters. A commented list of all configuration options can also be generated by running
       puppet with --genconfig.

       --render-as FORMAT
              The format in which to render output. The most common formats are json, s (string),
              yaml, and console, but other options such as dot are sometimes available.

              Whether to log verbosely.

              Whether to log debug information.

       --ca-location LOCATION
              Whether  to  act  on  the  local  certificate authority or one provided by a remote
              puppet master. Allowed values are 'local' and 'remote.'

              This option is required.

       --extra HASH
              A terminus can take additional arguments to refine the operation, which are  passed
              as  an  arbitrary  hash to the back-end. Anything passed as the extra value is just
              send direct to the back-end.

       --terminus _TERMINUS
              Indirector faces expose indirected subsystems of Puppet. These subsystems are  each
              able  to  retrieve  and alter a specific type of data (with the familiar actions of
              find, search, save, and destroy) from an arbitrary number of pluggable backends. In
              Puppet parlance, these backends are called terminuses.

              Almost  all  indirected  subsystems  have  a  rest terminus that interacts with the
              puppet master's data. Most of them have additional  terminuses  for  various  local
              data  models,  which  are  in  turn  used by the indirected subsystem on the puppet
              master whenever it receives a remote request.

              The terminus for an action is often determined by context, but  occasionally  needs
              to  be  set  explicitly.  See  the  "Notes" section of this face's manpage for more


destroy - Delete a certificate.: SYNOPSIS

           puppet  certificate  destroy  [--terminus  _TERMINUS]  [--extra  HASH]   --ca-location
           LOCATION host


           Deletes a certificate. This action currently only works on the local CA.



       ○   find - Retrieve a certificate.: SYNOPSIS

           puppet  certificate  find [--terminus _TERMINUS] [--extra HASH] --ca-location LOCATION


           Retrieve a certificate.


           An x509 SSL certificate.

           Note that this action has a side effect of  caching  a  copy  of  the  certificate  in
           Puppet's ssldir.

       ○   generate - Generate a new certificate signing request.: SYNOPSIS

           puppet  certificate  generate  [--terminus  _TERMINUS]  [--extra  HASH]  --ca-location
           LOCATION [--dns-alt-names NAMES] host


           Generates and submits a certificate signing request (CSR) for the specified host. This
           CSR  will  then  have  to  be  signed  by  a user with the proper authorization on the
           certificate authority.

           Puppet agent usually handles CSR submission automatically. This  action  is  primarily
           useful for requesting certificates for individual users and external applications.

           OPTIONS  --dns-alt-names  NAMES  -  A  comma-separated list of alternate DNS names for
           Puppet Server. These are extra hostnames (in addition to its certname) that the server
           is  allowed  to use when serving agents. Puppet checks this setting when automatically
           requesting a certificate  for  Puppet  agent  or  Puppet  Server,  and  when  manually
           generating a certificate with puppet cert generate. These can be either IP or DNS, and
           the type should be specified and followed with a colon. Untyped inputs will default to

           In  order  to  handle  agent requests at a given hostname (like ""),
           Puppet Server needs a certificate that proves it's allowed to  use  that  name;  if  a
           server  shows  a  certificate  that  doesn't  include its hostname, Puppet agents will
           refuse to trust it. If you use a single hostname for Puppet traffic  but  load-balance
           it  to  multiple  Puppet  Servers, each of those servers needs to include the official
           hostname in its list of extra names.

           Note: The list of alternate names is  locked  in  when  the  server's  certificate  is
           signed.  If you need to change the list later, you can't just change this setting; you
           also need to:

       ○   On the server: Stop Puppet Server.

       ○   On the CA server: Revoke and clean the server's old certificate.  (puppet  cert  clean
           <NAME>)  (Note  puppet cert clean is deprecated and will be replaced with puppetserver
           ca clean in Puppet 6.)

       ○   On the server: Delete the old certificate (and any old certificate  signing  requests)
           from the ssldir

       ○   On  the  server:  Run  puppet  agent  -t  --ca_server  <CA  HOSTNAME> to request a new

       ○   On the CA server: Sign the certificate request, explicitly  allowing  alternate  names
           (puppet  cert sign --allow-dns-alt-names <NAME>). (Note puppet cert sign is deprecated
           and will be replaced with puppetserver ca sign in Puppet 6.)

       ○   On the server: Run puppet agent -t --ca_server <CA HOSTNAME> to retrieve the cert.

       ○   On the server: Start Puppet Server again.

       To see all the alternate names your servers are using, log into your  CA  server  and  run
       puppet  cert  list -a, then check the output for (alt names: ...). Most agent nodes should
       NOT have alternate names; the only certs that should have them  are  Puppet  Server  nodes
       that you want other agents to trust.



       ○   info - Print the default terminus class for this face.: SYNOPSIS

           puppet certificate info [--terminus _TERMINUS] [--extra HASH] --ca-location LOCATION


           Prints  the  default terminus class for this subcommand. Note that different run modes
           may have different default termini; when in doubt,  specify  the  run  mode  with  the
           '--run_mode' option.

       ○   list - List all certificate signing requests.: SYNOPSIS

           puppet certificate list [--terminus _TERMINUS] [--extra HASH] --ca-location LOCATION


           List all certificate signing requests.


           An array of #inspect output from CSR objects. This output is currently messy, but does
           contain the names of nodes  requesting  certificates.  This  action  returns  #inspect
           strings even when used from the Ruby API.

       ○   sign - Sign a certificate signing request for HOST.: SYNOPSIS

           puppet  certificate  sign [--terminus _TERMINUS] [--extra HASH] --ca-location LOCATION
           [--[no-]allow-dns-alt-names] host


           Sign a certificate signing request for HOST.

           OPTIONS --[no-]allow-dns-alt-names - Whether or not to accept DNS  alt  names  in  the
           certificate request


           A string that appears to be (but isn't) an x509 certificate.



       Request a certificate for "somenode" from the site's CA:

       $ puppet certificate generate somenode.puppetlabs.lan --ca-location remote


       Sign somenode.puppetlabs.lan's certificate:

       $ puppet certificate sign somenode.puppetlabs.lan --ca-location remote


       This  subcommand  is  an  indirector  face,  which exposes find, search, save, and destroy
       actions for an indirected subsystem of Puppet. Valid termini for this face include:

       ○   cadisabled_cafilerest


       Copyright 2011 by Puppet Inc. Apache 2 license; see COPYING