Better documentation around certificate revocation and mgmt

git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1619 980ebf18-57e1-0310-9a29-db15c13687c0

1 files changed, 10 insertions, 2 deletions

diff --git a/documentation/documentation/security.page b/documentation/documentation/security.page
index 086a2572d..b27a4bee3 100644
--- a/documentation/documentation/security.page
+++ b/documentation/documentation/security.page
@@ -50,8 +50,16 @@ Prior to the 1.0 release it is expected that there will be email notification
 of certificate requests waiting to be signed, but for now either the logs
 must be watched or ``puppetca --list`` can be used list waiting requests.
 
-Once a request arrives, ``puppetca --sign <hostname>`` can be used to sign the
-request.  Adding the ``--all`` flag will sign all outstanding requests.
+Once a request arrives, ``puppetca --sign <hostname>`` can be used to sign
+the request.  Adding the ``--all`` flag will sign all outstanding
+requests. A list of all certificates ever issued by Puppet's CA can be
+found in the file ``$cadir/inventory.txt''.
+
+Certificates, once issued, can be revoked with ``puppetca --revoke
+<hostname|serial>''. The server consults the certificate revocation list
+(CRL) every time a client tries to connect to the server; for revocations
+to take effect, the server must be restarted after the certificate
+revocation with ``puppetca''.
 
 # Access and Authorization