[iyunv@puppet ~]# puppet cert -h
* clean: #--clean清理Master主机上存储的所有相关证书文件.
Revoke a host's certificate (if applicable) and remove all files
related to that host from puppet cert's storage. This is useful when
rebuilding hosts, since new certificate signing requests will only be
honored if puppet cert does not have a copy of a signed certificate
for that host. If '--all' is specified then all host certificates,
both signed and unsigned, will be removed.
* fingerprint: #打印证书的算法.
Print the DIGEST (defaults to the signing algorithm) fingerprint of a
host's certificate.
* generate: #为指定的agent client域名签发一个证书文件.
Generate a certificate for a named client. A certificate/keypair will
be generated for each client named on the command line.
* list: #在Master上可以列出目前Agent机器等待签发证书的信息.
List outstanding certificate requests. If '--all' is specified, signed
certificates are also listed, prefixed by '+', and revoked or invalid
certificates are prefixed by '-' (the verification outcome is printed
in parenthesis).
* print: #打印证书的版本信息
Print the full-text version of a host's certificate.
* revoke: #回收指定的Agent证书.
Revoke the certificate of a client. The certificate can be specified either
by its serial number (given as a hexadecimal number prefixed by '0x') or by its
hostname. The certificate is revoked by adding it to the Certificate Revocation
List given by the 'cacrl' configuration option. Note that the puppet master
needs to be restarted after revoking certificates.
* sign: #签署待认证的证书请求.
Sign an outstanding certificate request.
* verify: #确认证书是否由本地CA签发.
Verify the named certificate against the local CA certificate.
* reinventory:
Build an inventory of the issued certificates. This will destroy the current
inventory file specified by 'cert_inventory' and recreate it from the
certificates found in the 'certdir'. Ensure the puppet master is stopped
before running this action.
OPTIONS(命令参数的子选项)
-------
Note that any setting that's valid in the configuration
file is also a valid long argument. For example, 'ssldir' is a valid
setting, so you can specify '--ssldir <directory>' as an
argument.
See the configuration file documentation at http://docs.puppetlabs.com/references/stable/configuration.html for the
full list of acceptable parameters. A commented list of all
configuration options can also be generated by running puppet cert with
'--genconfig'.
* --all: #所有.可以使用在'sign','clean', 'list',and 'fingerprint'。
Operate on all items. Currently only makes sense with the 'sign',
'clean', 'list', and 'fingerprint' actions.
* --digest: #设置指纹提取的摘要(默认为使用的摘要签署的证书)有效值为你的openssl和openssl ruby扩展版本.
Set the digest for fingerprinting (defaults to the digest used when
signing the cert). Valid values depends on your openssl and openssl ruby
extension version.
* --debug: #调试模式
Enable full debugging.
* --help:
Print this help message
* --verbose:
Enable verbosity.
* --version:
Print the puppet version number and exit.
EXAMPLE
-------
$ puppet cert list
culain.madstop.com
$ puppet cert sign culain.madstop.com