1 files changed, 110 insertions, 0 deletions
diff --git a/lib/puppet/util/command_line/puppetca b/lib/puppet/util/command_line/puppetca
new file mode 100755
index 000000000..4f1a88da5
--- /dev/null
+++ b/lib/puppet/util/command_line/puppetca
@@ -0,0 +1,110 @@
+#!/usr/bin/env ruby
+
+#
+# = Synopsis
+#
+# Stand-alone certificate authority.  Capable of generating certificates
+# but mostly meant for signing certificate requests from puppet clients.
+#
+# = Usage
+#
+#   puppet cert [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose]
+#               [-g|--generate] [-l|--list] [-s|--sign] [-r|--revoke]
+#               [-p|--print] [-c|--clean] [--verify] [--digest DIGEST]
+#               [--fingerprint] [host]
+#
+# = Description
+#
+# Because the puppetmasterd daemon defaults to not signing client certificate
+# requests, this script is available for signing outstanding requests.  It
+# can be used to list outstanding requests and then either sign them individually
+# or sign all of them.
+#
+# = Options
+#
+# Note that any configuration parameter that's valid in the configuration file
+# is also a valid long argument.  For example, 'ssldir' is a valid configuration
+# parameter, so you can specify '--ssldir <directory>' as an argument.
+#
+# See the configuration file documentation at
+# http://reductivelabs.com/projects/puppet/reference/configref.html for
+# the full list of acceptable parameters. A commented list of all
+# configuration options can also be generated by running puppet cert with
+# '--genconfig'.
+#
+# all::
+#   Operate on all items.  Currently only makes sense with '--sign',
+#   '--clean', or '--list'.
+#
+# digest::
+#   Set the digest for fingerprinting (defaults to md5). Valid values depends
+#   on your openssl and openssl ruby extension version, but should contain at
+#   least md5, sha1, md2, sha256.
+#
+# clean::
+#    Remove all files related to a host from puppet cert's storage. This is
+#    useful when rebuilding hosts, since new certificate signing requests
+#    will only be honored if puppet cert does not have a copy of a signed
+#    certificate for that host. The certificate of the host remains valid.
+#    If '--all' is specified then all host certificates, both signed and
+#    unsigned, will be removed.
+#
+# debug::
+#   Enable full debugging.
+#
+# generate::
+#   Generate a certificate for a named client.  A certificate/keypair will be
+#   generated for each client named on the command line.
+#
+# help::
+#   Print this help message
+#
+# list::
+#   List outstanding certificate requests.  If '--all' is specified,
+#   signed certificates are also listed, prefixed by '+', and revoked
+#   or invalid certificates are prefixed by '-' (the verification outcome
+#   is printed in parenthesis).
+#
+# print::
+#   Print the full-text version of a host's certificate.
+#
+# fingerprint::
+#   Print the DIGEST (defaults to md5) fingerprint of a host's certificate.
+#
+# revoke::
+#   Revoke the certificate of a client. The certificate can be specified
+#   either by its serial number, given as a decimal number or a hexadecimal
+#   number prefixed by '0x', or by its hostname. The certificate is revoked
+#   by adding it to the Certificate Revocation List given by the 'cacrl'
+#   config parameter. Note that the puppetmasterd needs to be restarted
+#   after revoking certificates.
+#
+# sign::
+#   Sign an outstanding certificate request.  Unless '--all' is specified,
+#   hosts must be listed after all flags.
+#
+# verbose::
+#   Enable verbosity.
+#
+# version::
+#   Print the puppet version number and exit.
+#
+# verify::
+#   Verify the named certificate against the local CA certificate.
+#
+# = Example
+#
+#   $ puppet cert -l
+#   culain.madstop.com
+#   $ puppet cert -s culain.madstop.com
+#
+# = Author
+#
+# Luke Kanies
+#
+# = Copyright
+#
+# Copyright (c) 2005 Reductive Labs, LLC
+# Licensed under the GNU Public License
+
+#Puppet::Application[:cert].run