NAME

puppetserver-ca - Puppetserver CA management command

SYNOPSIS

puppetserver ca (--help | --version)
puppetserver ca (--verbose) [subcommand] <args>

DESCRIPTION

Manage the Private Key Infrastructure for Puppet Server's built-in Certificate Authority.

OPTIONS

-h, --help: Show the help message and exit
--version: Show the version number of the CA utility and exit
--verbose: Display low-level information

SUBCOMMANDS

Certificate Actions

The following subcommands require a running Puppet Server:

clean <args> ...: Revoke cert(s) and remove related files from CA
generate <args> ...: Generate a new certificate signed by the CA
list <args> ...: List certificates and CSRs
revoke <args> ...: Revoke certificate(s)
sign <args> ...: Sign certificate request(s)

Administration Actions

The following subcommands require Puppet Server to be stopped:

import <args> ...: Import an external CA chain and generate server PKI
setup <args> ...: Setup a self-signed CA chain for Puppet Server
enable <args> ...: Setup infrastructure CRL based on a node inventory
migrate <args> ...: Migrate the existing CA directory to /etc/puppetserver/ca
prune <args> ...: Prune the local CRL on disk to remove any duplicated certificates

For more details on the arguments supported by these subcommands, see the "Arguments" section of this man page.

ARGUMENTS

clean:


--certname NAME[,NAME]           One or more comma separated certnames
--config CONF                    Custom path to puppet.conf

enable:


--config CONF                    Path to puppet.conf
--infracrl                       Create auxiliary files for the infrastructure-only CRL

generate:


--certname NAME[,NAME]           One or more comma separated certnames
--config CONF                    Path to puppet.conf
--subject-alt-names NAME[,NAME]  One or more comma separated alt-names for the cert
--ca-client                      Whether this cert will be used to request CA actions
--force                          Suppress errors when signing cert offline
--ttl TTL                        The time-to-live for each cert generated and signed

import:


--config CONF                    Path to puppet.conf
--private-key KEY                Path to PEM encoded key
--cert-bundle BUNDLE             Path to PEM encoded bundle
--crl-chain CHAIN                Path to PEM encoded chain
--certname NAME                  Common name to use for the server cert
--subject-alt-names NAME[,NAME]  One or more comma separated alt-names for the cert

list:


--config CONF                    Custom path to Puppet's config file
--all                            List all certificates
--format FORMAT                  Valid formats are: 'text' (default), 'json'
--certname NAME[,NAME]           List the specified cert(s)

migrate:


--config CONF                    Path to puppet.conf

prune:


--config CONF                    Path to the puppet.conf file on disk

revoke:


--certname NAME[,NAME]           One or more comma separated certnames
--config CONF                    Custom path to puppet.conf

setup:


--config CONF                    Path to puppet.conf
--subject-alt-names NAME[,NAME]  One or more comma separated alt-names for the cert
--ca-name NAME                   Common name to use for the CA signing cert
--certname NAME                  Common name to use for the server cert

sign:


--ttl TTL                        The time-to-live for each cert signed
--certname NAME[,NAME]           The name(s) of the cert(s) to be signed
--config CONF                    Custom path to Puppet's config file
--all                            Operate on all certnames

BUGS

Bugs can be reported to your distribution's bug tracker or upstream at https://tickets.puppetlabs.com/browse/SERVER

AUTHOR

Louis-Philippe Véronneau

2023