diff options
| author | Brice Figureau <brice-puppet@daysofwonder.com> | 2009-12-29 15:27:54 +0100 |
|---|---|---|
| committer | James Turnbull <james@lovedthanlost.net> | 2010-01-19 08:37:23 +1100 |
| commit | 3e9677f00a09d0249713ed2fa503e42b07f6d978 (patch) | |
| tree | 0b99bb4cd9039bb220ee75f2520b37920a6b7628 /sbin | |
| parent | 91c44b439794a87111ab1a0726a2ad08981c839e (diff) | |
| download | puppet-3e9677f00a09d0249713ed2fa503e42b07f6d978.tar.gz puppet-3e9677f00a09d0249713ed2fa503e42b07f6d978.tar.xz puppet-3e9677f00a09d0249713ed2fa503e42b07f6d978.zip | |
Feature #2839 - fingerprint certificate
This patch adds several things:
* certificate fingerprinting in --list mode
* a puppetca action called "--fingerprint" to display fingerprints
of given certificates (or all including CSR)
* a --fingerprint puppetd option to display client certificates
* each time a CSR is generated, its fingerprint is displayed in the log
It is also possible to use --digest in puppetca and puppetd to specify a specific digest
algorithm.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
Diffstat (limited to 'sbin')
| -rwxr-xr-x | sbin/puppetca | 11 | ||||
| -rwxr-xr-x | sbin/puppetd | 23 |
2 files changed, 31 insertions, 3 deletions
diff --git a/sbin/puppetca b/sbin/puppetca index 27ba916b5..eab594ba6 100755 --- a/sbin/puppetca +++ b/sbin/puppetca @@ -10,7 +10,8 @@ # # puppetca [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose] # [-g|--generate] [-l|--list] [-s|--sign] [-r|--revoke] -# [-p|--print] [-c|--clean] [--verify] [host] +# [-p|--print] [-c|--clean] [--verify] [--digest DIGEST] +# [--fingerprint] [host] # # = Description # @@ -35,6 +36,11 @@ # Operate on all items. Currently only makes sense with '--sign', # '--clean', or '--list'. # +# digest:: +# Set the digest for fingerprinting (defaults to md5). Valid values depends +# on your openssl and openssl ruby extension version, but should contain at +# least md5, sha1, md2, sha256. +# # clean:: # Remove all files related to a host from puppetca's storage. This is # useful when rebuilding hosts, since new certificate signing requests @@ -62,6 +68,9 @@ # print:: # Print the full-text version of a host's certificate. # +# fingerprint:: +# Print the DIGEST (defaults to md5) fingerprint of a host's certificate. +# # revoke:: # Revoke the certificate of a client. The certificate can be specified # either by its serial number, given as a decimal number or a hexadecimal diff --git a/sbin/puppetd b/sbin/puppetd index bf7d02838..fd78dc631 100755 --- a/sbin/puppetd +++ b/sbin/puppetd @@ -12,7 +12,8 @@ # [--detailed-exitcodes] [--disable] [--enable] # [-h|--help] [--fqdn <host name>] [-l|--logdest syslog|<file>|console] # [-o|--onetime] [--serve <handler>] [-t|--test] [--noop] -# [-V|--version] [-v|--verbose] [-w|--waitforcert <seconds>] +# [--digest <digest>] [--fingerprint] [-V|--version] +# [-v|--verbose] [-w|--waitforcert <seconds>] # # = Description # @@ -35,7 +36,7 @@ # configuration every 30 minutes. # # Some flags are meant specifically for interactive use -- in particular, -# +test+ and +tags+ are useful. +test+ enables verbose logging, causes +# +test+, +tags+ or +fingerprint+ are useful. +test+ enables verbose logging, causes # the daemon to stay in the foreground, exits if the server's configuration is # invalid (this happens if, for instance, you've left a syntax error on the # server), and exits after running the configuration once (rather than hanging @@ -51,6 +52,15 @@ # which would only apply that small portion of the configuration during your # testing, rather than applying the whole thing. # +# +fingerprint+ is a one-time flag. In this mode +puppetd+ will run once and +# display on the console (and in the log) the current certificate (or certificate +# request) fingerprint. Providing the +--digest+ option allows to use a different +# digest algorithm to generate the fingerprint. The main use is to verify that +# before signing a certificate request on the master, the certificate request the +# master received is the same as the one the client sent (to prevent against +# man-in-the-middle attacks when signing certificates). +# +# # = Options # # Note that any configuration parameter that's valid in the configuration file @@ -72,6 +82,11 @@ # debug:: # Enable full debugging. # +# digest:: +# Change the certificate fingerprinting digest algorithm. The default is MD5. +# Valid values depends on the version of OpenSSL installed, but should always +# at least contain MD5, MD2, SHA1 and SHA256. +# # detailed-exitcodes:: # Provide transaction information via exit codes. If this is enabled, an # exit code of '2' means there were changes, and an exit code of '4' means @@ -119,6 +134,10 @@ # Run the configuration once, rather than as a long-running daemon. This is # useful for interactively running puppetd. # +# fingerprint:: +# Display the current certificate or certificate signing request fingerprint +# and then exit. Use the +--digest+ option to change the digest algorithm used. +# # serve:: # Start another type of server. By default, +puppetd+ will start # a service handler that allows authenticated and authorized remote nodes to |