...
| Code Block |
|---|
| title | Revoke old client certificate |
|---|
|
root@puppetca.fqdn:~# puppetpuppetserver certca clean --certname client.fqdn |
The crl is distributed to the rest of the infrastructure each time these machines are running the puppet agent.
...
| Code Block |
|---|
|
root@puppetca.fqdn:~# puppetpuppetserver certca list |
To sign a certificate (with or without any DNS-alt-names):
| Code Block |
|---|
|
root@puppetca.fqdn:~# puppet cert sign client.fqdn |
If the certificate needs to have more than one DNS name in it (puppetservers, puppetca and puppetdb hosts for example), add --allow-dns-alt-names:(From puppet7, there is no longer a CLI switch to allow for alt-names. It must be set in the config for the Puppet CA)
| Code Block |
|---|
|
root@puppetca.fqdn:~# puppetpuppetserver certca sign --certname client.fqdn --allow-dns-alt-names |
Verify the new certificate
...
