diff options
| author | lutter <lutter@980ebf18-57e1-0310-9a29-db15c13687c0> | 2006-09-18 10:45:14 +0000 |
|---|---|---|
| committer | lutter <lutter@980ebf18-57e1-0310-9a29-db15c13687c0> | 2006-09-18 10:45:14 +0000 |
| commit | fd4ef3c95cdd17cba69823593170f773e0daa092 (patch) | |
| tree | 422d30c3e177473f221c83a1097da0dfdfd89456 | |
| parent | c8a6df0c40a878d2b96cf6e56586ba37e9c8eceb (diff) | |
| download | puppet-fd4ef3c95cdd17cba69823593170f773e0daa092.tar.gz puppet-fd4ef3c95cdd17cba69823593170f773e0daa092.tar.xz puppet-fd4ef3c95cdd17cba69823593170f773e0daa092.zip | |
Better documentation around certificate revocation and mgmt
git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1619 980ebf18-57e1-0310-9a29-db15c13687c0
| -rwxr-xr-x | bin/puppetca | 7 | ||||
| -rw-r--r-- | documentation/documentation/security.page | 12 | ||||
| -rw-r--r-- | lib/puppet/sslcertificates/inventory.rb | 1 |
3 files changed, 16 insertions, 4 deletions
diff --git a/bin/puppetca b/bin/puppetca index de84c91e2..da9423c40 100755 --- a/bin/puppetca +++ b/bin/puppetca @@ -9,7 +9,7 @@ # = Usage # # puppetca [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose] -# [-g|--generate] [-l|--list] [-s|--sign] +# [-g|--generate] [-l|--list] [-s|--sign] [-r|--revoke] # [-c|--clean] [host] # # = Description @@ -31,7 +31,10 @@ # Operate on all outstanding requests. Only makes sense with '--sign'. # # clean:: -# Remove all traces of a host. This is useful when rebuilding hosts. +# Remove all files related to a host from puppetca's storage. This is +# useful when rebuilding hosts, since new certificate signing requests +# will only be honored if puppetca does not have a copy of a signed +# certificate for that host. The certificate of the host remains valid. # # debug:: # Enable full debugging. diff --git a/documentation/documentation/security.page b/documentation/documentation/security.page index 086a2572d..b27a4bee3 100644 --- a/documentation/documentation/security.page +++ b/documentation/documentation/security.page @@ -50,8 +50,16 @@ Prior to the 1.0 release it is expected that there will be email notification of certificate requests waiting to be signed, but for now either the logs must be watched or ``puppetca --list`` can be used list waiting requests. -Once a request arrives, ``puppetca --sign <hostname>`` can be used to sign the -request. Adding the ``--all`` flag will sign all outstanding requests. +Once a request arrives, ``puppetca --sign <hostname>`` can be used to sign +the request. Adding the ``--all`` flag will sign all outstanding +requests. A list of all certificates ever issued by Puppet's CA can be +found in the file ``$cadir/inventory.txt''. + +Certificates, once issued, can be revoked with ``puppetca --revoke +<hostname|serial>''. The server consults the certificate revocation list +(CRL) every time a client tries to connect to the server; for revocations +to take effect, the server must be restarted after the certificate +revocation with ``puppetca''. # Access and Authorization diff --git a/lib/puppet/sslcertificates/inventory.rb b/lib/puppet/sslcertificates/inventory.rb index f3f790906..4dbf60410 100644 --- a/lib/puppet/sslcertificates/inventory.rb +++ b/lib/puppet/sslcertificates/inventory.rb @@ -32,6 +32,7 @@ module Puppet::SSLCertificates end inv = File.open(filename, "w") inv.puts "# Inventory of signed certificates" + inv.puts "# SERIAL NOT_BEFORE _NOT_AFTER SUBJECT" Dir.glob(File::join(Puppet[:signeddir], "*.pem")) do |f| format(inv, OpenSSL::X509::Certificate.new(File::read(f))) end |