diff options
| author | lutter <lutter@980ebf18-57e1-0310-9a29-db15c13687c0> | 2006-08-23 02:23:25 +0000 |
|---|---|---|
| committer | lutter <lutter@980ebf18-57e1-0310-9a29-db15c13687c0> | 2006-08-23 02:23:25 +0000 |
| commit | 9576d1dda88bd14490b91f7aee0dbaee28969f79 (patch) | |
| tree | d4098b1438093658920e777d290d0e658f0458d5 /bin | |
| parent | 4151fd59ef6490c875140a874c0a13c5d3f311aa (diff) | |
| download | puppet-9576d1dda88bd14490b91f7aee0dbaee28969f79.tar.gz puppet-9576d1dda88bd14490b91f7aee0dbaee28969f79.tar.xz puppet-9576d1dda88bd14490b91f7aee0dbaee28969f79.zip | |
Certificate revocation through puppetca. Keep a simple text inventory of all certificates ever issued.
git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1485 980ebf18-57e1-0310-9a29-db15c13687c0
Diffstat (limited to 'bin')
| -rwxr-xr-x | bin/puppetca | 49 |
1 files changed, 40 insertions, 9 deletions
diff --git a/bin/puppetca b/bin/puppetca index f725e4a8f..d694ba294 100755 --- a/bin/puppetca +++ b/bin/puppetca @@ -46,6 +46,14 @@ # list:: # List outstanding certificate requests. # +# revoke:: +# Revoke the certificate of a client. The certificate can be specified +# either by its serial number, given as a decimal number or a hexadecimal +# number prefixed by '0x', or by its hostname. The certificate is revoked +# by adding it to the Certificate Revocation List given by the 'cacrl' +# config parameter. Note that the puppetmasterd needs to be restarted +# after revoking certificates. +# # sign:: # Sign an outstanding certificate request. Unless '--all' is specified, # hosts must be listed after all flags. @@ -81,14 +89,15 @@ rescue LoadError end options = [ - [ "--all", "-a", GetoptLong::NO_ARGUMENT ], - [ "--clean", "-c", GetoptLong::NO_ARGUMENT ], - [ "--debug", "-d", GetoptLong::NO_ARGUMENT ], - [ "--generate", "-g", GetoptLong::NO_ARGUMENT ], - [ "--help", "-h", GetoptLong::NO_ARGUMENT ], - [ "--list", "-l", GetoptLong::NO_ARGUMENT ], - [ "--sign", "-s", GetoptLong::NO_ARGUMENT ], - [ "--verbose", "-v", GetoptLong::NO_ARGUMENT ] + [ "--all", "-a", GetoptLong::NO_ARGUMENT ], + [ "--clean", "-c", GetoptLong::NO_ARGUMENT ], + [ "--debug", "-d", GetoptLong::NO_ARGUMENT ], + [ "--generate", "-g", GetoptLong::NO_ARGUMENT ], + [ "--help", "-h", GetoptLong::NO_ARGUMENT ], + [ "--list", "-l", GetoptLong::NO_ARGUMENT ], + [ "--revoke", "-r", GetoptLong::NO_ARGUMENT ], + [ "--sign", "-s", GetoptLong::NO_ARGUMENT ], + [ "--verbose", "-v", GetoptLong::NO_ARGUMENT ] ] # Add all of the config parameters as valid options. @@ -121,6 +130,8 @@ begin end when "--list" mode = :list + when "--revoke" + mode = :revoke when "--sign" mode = :sign when "--verbose" @@ -160,7 +171,7 @@ unless mode exit(12) end -if mode == :generate or mode == :clean +if mode == :generate or mode == :clean or mode == :revoke hosts = ARGV else hosts = ca.list @@ -230,6 +241,26 @@ when :generate cert.cacert = cacert cert.write } +when :revoke + hosts.each { |h| + serial = nil + if h =~ /^0x[0-9a-f]+$/ + serial = h.to_i(16) + elsif h =~ /^[0-9]+$/ + serial = h.to_i + else + cert = ca.getclientcert(h)[0] + if cert.nil? + $stderr.puts "Could not find client certificate for %s" % h + else + serial = cert.serial + end + end + unless serial.nil? + ca.revoke(serial) + puts "Revoked certificate with serial #{serial}" + end + } else $stderr.puts "Invalid mode %s" % mode exit(42) |