puppetserver-ca(1)

Puppetserver CA management command

Section 1 puppetserver bookworm source

Description

PUPPETSERVER-CA

NAME

puppetserver-ca - Puppetserver CA management command

SYNOPSIS

puppetserver ca (--help | --version)
puppetserver ca (--verbose) [subcommand] <args>

DESCRIPTION

Manage the Private Key Infrastructure for Puppet Server's built-in Certificate Authority.

OPTIONS

-h, --help

Show the help message and exit

--version

Show the version number of the CA utility and exit

--verbose

Display low-level information

SUBCOMMANDS

Certificate Actions

The following subcommands require a running Puppet Server:
clean <args> ...

Revoke cert(s) and remove related files from CA

generate <args> ...

Generate a new certificate signed by the CA

list <args> ...

List certificates and CSRs

revoke <args> ...

Revoke certificate(s)

sign <args> ...

Sign certificate request(s)

Administration Actions

The following subcommands require Puppet Server to be stopped:
import <args> ...

Import an external CA chain and generate server PKI

setup <args> ...

Setup a self-signed CA chain for Puppet Server

enable <args> ...

Setup infrastructure CRL based on a node inventory

migrate <args> ...

Migrate the existing CA directory to /etc/puppetserver/ca

prune <args> ...

Prune the local CRL on disk to remove any duplicated certificates

For more details on the arguments supported by these subcommands, see the "Arguments" section of this man page.

ARGUMENTS

clean:

--certname NAME[,NAME] One or more comma separated certnames
--config CONF Custom path to puppet.conf

enable:

--config CONF Path to puppet.conf
--infracrl Create auxiliary files for the infrastructure-only CRL

generate:

--certname NAME[,NAME] One or more comma separated certnames
--config CONF Path to puppet.conf
--subject-alt-names NAME[,NAME] One or more comma separated alt-names for the cert
--ca-client Whether this cert will be used to request CA actions
--force Suppress errors when signing cert offline
--ttl TTL The time-to-live for each cert generated and signed

import:

--config CONF Path to puppet.conf
--private-key KEY Path to PEM encoded key
--cert-bundle BUNDLE Path to PEM encoded bundle
--crl-chain CHAIN Path to PEM encoded chain
--certname NAME Common name to use for the server cert
--subject-alt-names NAME[,NAME] One or more comma separated alt-names for the cert

list:

--config CONF Custom path to Puppet's config file
--all List all certificates
--format FORMAT Valid formats are: 'text' (default), 'json'
--certname NAME[,NAME] List the specified cert(s)

migrate:

--config CONF Path to puppet.conf

prune:

--config CONF Path to the puppet.conf file on disk

revoke:

--certname NAME[,NAME] One or more comma separated certnames
--config CONF Custom path to puppet.conf

setup:

--config CONF Path to puppet.conf
--subject-alt-names NAME[,NAME] One or more comma separated alt-names for the cert
--ca-name NAME Common name to use for the CA signing cert
--certname NAME Common name to use for the server cert

sign:

--ttl TTL The time-to-live for each cert signed
--certname NAME[,NAME] The name(s) of the cert(s) to be signed
--config CONF Custom path to Puppet's config file
--all Operate on all certnames

BUGS

Bugs can be reported to your distribution's bug tracker or upstream at https://tickets.puppetlabs.com/browse/SERVER

SEE ALSO

puppetserver(1), puppetserver-gem(1), puppetserver-ruby(1), puppetserver-irb(1), puppetserver-foreground(1),

AUTHOR

Louis-Philippe Véronneau