#!/usr/bin/env ruby # # = Synopsis # # Stand-alone certificate authority. Capable of generating certificates # but mostly meant for signing certificate requests from puppet clients. # # = Usage # # puppetca [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose] # [-g|--generate] [-l|--list] [-s|--sign] [-r|--revoke] # [-p|--print] [-c|--clean] [--verify] [host] # # = Description # # Because the puppetmasterd daemon defaults to not signing client certificate # requests, this script is available for signing outstanding requests. It # can be used to list outstanding requests and then either sign them individually # or sign all of them. # # = Options # # Note that any configuration parameter that's valid in the configuration file # is also a valid long argument. For example, 'ssldir' is a valid configuration # parameter, so you can specify '--ssldir ' as an argument. # # See the configuration file documentation at # http://reductivelabs.com/projects/puppet/reference/configref.html for # the full list of acceptable parameters. A commented list of all # configuration options can also be generated by running puppetca with # '--genconfig'. # # all:: # Operate on all items. Currently only makes sense with '--sign', # '--clean', or '--list'. # # clean:: # Remove all files related to a host from puppetca's storage. This is # useful when rebuilding hosts, since new certificate signing requests # will only be honored if puppetca does not have a copy of a signed # certificate for that host. The certificate of the host remains valid. # If '--all' is specified then all host certificates, both signed and # unsigned, will be removed. # # debug:: # Enable full debugging. # # generate:: # Generate a certificate for a named client. A certificate/keypair will be # generated for each client named on the command line. # # help:: # Print this help message # # list:: # List outstanding certificate requests. If '--all' is specified, # signed certificates are also listed, prefixed by '+', and revoked # or invalid certificates are prefixed by '-' (the verification outcome # is printed in parenthesis). # # print:: # Print the full-text version of a host's certificate. # # revoke:: # Revoke the certificate of a client. The certificate can be specified # either by its serial number, given as a decimal number or a hexadecimal # number prefixed by '0x', or by its hostname. The certificate is revoked # by adding it to the Certificate Revocation List given by the 'cacrl' # config parameter. Note that the puppetmasterd needs to be restarted # after revoking certificates. # # sign:: # Sign an outstanding certificate request. Unless '--all' is specified, # hosts must be listed after all flags. # # verbose:: # Enable verbosity. # # version:: # Print the puppet version number and exit. # # verify:: # Verify the named certificate against the local CA certificate. # # = Example # # $ puppetca -l # culain.madstop.com # $ puppetca -s culain.madstop.com # # = Author # # Luke Kanies # # = Copyright # # Copyright (c) 2005 Reductive Labs, LLC # Licensed under the GNU Public License require 'puppet/application/puppetca' Puppet::Application[:puppetca].run