diff options
| author | nfagerlund <nick.fagerlund@gmail.com> | 2011-04-14 15:33:33 -0700 |
|---|---|---|
| committer | nfagerlund <nick.fagerlund@gmail.com> | 2011-04-14 15:41:29 -0700 |
| commit | ca9d68f2aa846d4d8c57f272e990115c9642e9e1 (patch) | |
| tree | c0a82b8af0e782e82daf1f6d9c6309a057082609 /lib/puppet/application | |
| parent | d88b3763cea9e116c8abf45ca2aa4ec80fa20349 (diff) | |
| download | puppet-ca9d68f2aa846d4d8c57f272e990115c9642e9e1.tar.gz puppet-ca9d68f2aa846d4d8c57f272e990115c9642e9e1.tar.xz puppet-ca9d68f2aa846d4d8c57f272e990115c9642e9e1.zip | |
(#6408) Update puppet cert help for new subcommand action syntax.
Puppet cert now allows bareword actions, which brings it more in-line with the
Faces subcommands. Updating the help text accordingly.
Diffstat (limited to 'lib/puppet/application')
| -rw-r--r-- | lib/puppet/application/cert.rb | 98 |
1 files changed, 51 insertions, 47 deletions
diff --git a/lib/puppet/application/cert.rb b/lib/puppet/application/cert.rb index c08775380..162672b6a 100644 --- a/lib/puppet/application/cert.rb +++ b/lib/puppet/application/cert.rb @@ -61,9 +61,8 @@ but mostly used for signing certificate requests from puppet clients. USAGE ----- -puppet cert [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose] - [-g|--generate] [-l|--list] [-s|--sign] [-r|--revoke] [-p|--print] - [-c|--clean] [--verify] [--digest <digest>] [--fingerprint] [host] +puppet cert <action> [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose] + [--digest <digest>] [<host>] DESCRIPTION @@ -73,6 +72,51 @@ certificate requests, this script is available for signing outstanding requests. It can be used to list outstanding requests and then either sign them individually or sign all of them. +ACTIONS +------- + +Every action except 'list' and 'generate' requires a hostname to act on, +unless the '--all' option is set. + +* clean: + Revoke a host's certificate (if applicable) and remove all files + related to that host from puppet cert's storage. This is useful when + rebuilding hosts, since new certificate signing requests will only be + honored if puppet cert does not have a copy of a signed certificate + for that host. If '--all' is specified then all host certificates, + both signed and unsigned, will be removed. + +* fingerprint: + Print the DIGEST (defaults to md5) fingerprint of a host's + certificate. + +* generate: + Generate a certificate for a named client. A certificate/keypair will + be generated for each client named on the command line. + +* list: + List outstanding certificate requests. If '--all' is specified, signed + certificates are also listed, prefixed by '+', and revoked or invalid + certificates are prefixed by '-' (the verification outcome is printed + in parenthesis). + +* print: + Print the full-text version of a host's certificate. + +* revoke: + Revoke the certificate of a client. The certificate can be specified + either by its serial number (given as a decimal number or a + hexadecimal number prefixed by '0x') or by its hostname. The + certificate is revoked by adding it to the Certificate Revocation List + given by the 'cacrl' configuration option. Note that the puppet master + needs to be restarted after revoking certificates. + +* sign: + Sign an outstanding certificate request. + +* verify: + Verify the named certificate against the local CA certificate. + OPTIONS ------- @@ -88,72 +132,32 @@ configuration options can also be generated by running puppet cert with '--genconfig'. * --all: - Operate on all items. Currently only makes sense with '--sign', - '--clean', or '--list'. + Operate on all items. Currently only makes sense with the 'sign', + 'clean', 'list', and 'fingerprint' actions. * --digest: Set the digest for fingerprinting (defaults to md5). Valid values depends on your openssl and openssl ruby extension version, but should contain at least md5, sha1, md2, sha256. -* --clean: - Remove all files related to a host from puppet cert's storage. This is - useful when rebuilding hosts, since new certificate signing requests - will only be honored if puppet cert does not have a copy of a signed - certificate for that host. The certificate of the host is also - revoked. If '--all' is specified then all host certificates, both - signed and unsigned, will be removed. - * --debug: Enable full debugging. -* --generate: - Generate a certificate for a named client. A certificate/keypair will - be generated for each client named on the command line. - * --help: Print this help message -* --list: - List outstanding certificate requests. If '--all' is specified, signed - certificates are also listed, prefixed by '+', and revoked or invalid - certificates are prefixed by '-' (the verification outcome is printed - in parenthesis). - -* --print: - Print the full-text version of a host's certificate. - -* --fingerprint: - Print the DIGEST (defaults to md5) fingerprint of a host's - certificate. - -* --revoke: - Revoke the certificate of a client. The certificate can be specified - either by its serial number, given as a decimal number or a - hexadecimal number prefixed by '0x', or by its hostname. The - certificate is revoked by adding it to the Certificate Revocation List - given by the 'cacrl' config parameter. Note that the puppetmasterd - needs to be restarted after revoking certificates. - -* --sign: - Sign an outstanding certificate request. Unless '--all' is specified, - hosts must be listed after all flags. - * --verbose: Enable verbosity. * --version: Print the puppet version number and exit. -* --verify: - Verify the named certificate against the local CA certificate. - EXAMPLE ------- - $ puppet cert -l + $ puppet cert list culain.madstop.com - $ puppet cert -s culain.madstop.com + $ puppet cert sign culain.madstop.com AUTHOR |