Certificate Revocation List

The certificate_revocation_list endpoint retrieves a Certificate Revocation List (CRL) from the primary server. The primary server must be configured to be a CA. The returned CRL is always in the .pem format.

The :nodename should always be ca, due to the default auth.conf rules for WEBrick and Rack Puppet servers. (You can use a different :nodename if you change the auth rules, but it will have no effect on the response.)

Find

Get the submitted CRL

GET /puppet-ca/v1/certificate_revocation_list/:nodename
Accept: text/plain

Supported HTTP Methods

GET

Supported Response Formats

text/plain

The returned CRL is always in the .pem format.

Parameters

None

Examples

Because the returned CRL always looks similar to the human eye, the successful examples are each followed by an openssl decoding of the CRL PEM file.

Empty revocation list

GET /puppet-ca/v1/certificate_revocation_list/ca

HTTP/1.1 200 OK
Content-Type: text/plain

-----BEGIN X509 CRL-----
MIICdzBhAgEBMA0GCSqGSIb3DQEBBQUAMB8xHTAbBgNVBAMMFFB1cHBldCBDQTog
bG9jYWxob3N0Fw0xMzA3MTYyMDQ4NDJaFw0xODA3MTUyMDQ4NDNaoA4wDDAKBgNV
HRQEAwIBADANBgkqhkiG9w0BAQUFAAOCAgEAqyBJOy3dtCOcrb0Fu7ZOOiDQnarg
IzXUV/ug1dauPEVyURLNNr+CJrr89QZnU/71lqgpWTN/J47mO/lffMSPjmINE+ng
XzOffm0qCG2+gNyaOBOdEmQTLdHPIXvcm7T+wEqc7XFW2tjEdpEubZgweruU/+DB
RX6/PhFbalQ0bKcMeFLzLAD4mmtBaQCJISmUUFWx1pyCS6pgBtQ1bNy3PJPN2PNW
YpDf3DNZ16vrAJ4a4SzXLXCoONw0MGxZcS6/hctJ75Vz+dTMrArKwckytWgQS/5e
c/1/wlMZn4xlho+EcIPMPfCB5hW1qzGU2WjUakTVxzF4goamnfFuKbHKEoXVOo9C
3dEQ9un4Uyd1xHxj8WvQck79In5/S2l9hdqp4eud4BaYB6tNRKxlUntSCvCNriR2
wrDNsMuQ5+KJReG51vM0OzzKmlScgIHaqbVeNFZI9X6TpsO2bLEZX2xyqKw4xrre
OIEZRoJrmX3VQ/4u9hj14Qbt72/khYo6z/Fckc5zVD+dW4fjP2ztVTSPzBqIK3+H
zAgewYW6cJ6Aan8GSl3IfRqj6WlOubWj8Gr1U0dOE7SkBX6w/X61uqsHrOyg/E/Z
0Wcz/V+W5iZxa4Spm0x4sfpNzf/bNmjTe4M2MXyn/hXx5MdHf/HZdhOs/lzwKUGL
kEwcy38d6hYtUjs=
-----END X509 CRL-----
> openssl crl -inform PEM -in empty.crl -text -noout
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /CN=Puppet CA: localhost
        Last Update: Jul 16 20:48:42 2013 GMT
        Next Update: Jul 15 20:48:43 2018 GMT
        CRL extensions:
            X509v3 CRL Number:
                0
No Revoked Certificates.
    Signature Algorithm: sha1WithRSAEncryption
        ab:20:49:3b:2d:dd:b4:23:9c:ad:bd:05:bb:b6:4e:3a:20:d0:
        ...

One-item revocation list

GET /puppet-ca/v1/certificate_revocation_list/ca

HTTP/1.1 200 OK
Content-Type: text/plain

-----BEGIN X509 CRL-----
MIICnDCBhQIBATANBgkqhkiG9w0BAQUFADAfMR0wGwYDVQQDDBRQdXBwZXQgQ0E6
IGxvY2FsaG9zdBcNMTMxMDA3MTk0ODQwWhcNMTgxMDA2MTk0ODQxWjAiMCACAQUX
DTEzMTAwNzE5NDg0MVowDDAKBgNVHRUEAwoBAaAOMAwwCgYDVR0UBAMCAQEwDQYJ
KoZIhvcNAQEFBQADggIBALrh49WNdmrJOPCRntD1nxCObmqZgl8ZwTv7TO9VkmCG
Ksvo8zR2aTIOH9VUKqWrE0squhtFJXl8dxL4PR1RiLbmhO7dp+NHdu8ejTQpoOTp
h69xbQFT3oHcIdn2cBGrLJQcZgXsiswT0KJ8nuw6eDO93yXDrguSUdou99M99wTw
2nn1kUQKW9b0vUI7t2ADF5U8/DES+1IrvBq2IEHmg4+ekZRCxeJMuqd1R13gymcJ
osSPbRgIjCli6zD3aK4Nq5OMMpVLV/VVPwyQb4GwW4Wj5iyNAp8d/EAqtZ21ZHUi
nvuXmRtUWHJwfi40D5T2GQXxuUjB4pnh8cFq7f89iUvqoCwFo7nRIacrrweNFMYD
GxVJVMfz4PkP66ckIPQ5Uuey92dg5p2w4b2cp8NstxMdgcc3KAF483ItKA8uIDuU
1dbzw1v2k5qUjoImueHwKolbLmPyYmvFp7hbnV+WpFbvGjyIfW3BMankDEv4ig0L
MCw6n2GKv1hSWM6Mrk8Ja1yYOFLsjI0RoVCZsf1iNiRT28haldXVTPyNtct9mGAv
6az5W/nyixIPrrHubTx28zhmuHZx6y3hQMCLmuYOT+e7F/eFsYXVEjuJjxjr33uA
O/ii4EkTls1gzvonOtoBoGElzQAogrZI3HXCwFYvU2whLKr9cwv5bpRkUfPCMQ4n
-----END X509 CRL-----
> openssl crl -inform PEM -in 1revoked.crl -text -noout
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /CN=Puppet CA: localhost
        Last Update: Oct  7 19:48:40 2013 GMT
        Next Update: Oct  6 19:48:41 2018 GMT
        CRL extensions:
            X509v3 CRL Number:
                1
Revoked Certificates:
    Serial Number: 05
        Revocation Date: Oct  7 19:48:41 2013 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
                Key Compromise
    Signature Algorithm: sha1WithRSAEncryption
        ba:e1:e3:d5:8d:76:6a:c9:38:f0:91:9e:d0:f5:9f:10:8e:6e:
        ...

No node name given

GET /puppet-ca/v1/certificate_revocation_list

HTTP/1.1 400 Bad Request
Content-Type: text/plain

No request key specified in /puppet-ca/v1/certificate_revocation_list

Schema

A certificate_revocation_list response body is not structured data according to any standard scheme such as json/pson/yaml, so no schema is applicable.

Update upstream CRLs

If your organization's CRLs require frequent updating, you can use the following endpoint to insert updated copies of your CRLs into the trust chain:

PUT /puppet-ca/v1/certificate_revocation_list
accept: text/plain

This endpoint accepts a list of CRL PEMs as a body and updates the matching CRLs saved on disk if the submitted ones have a higher CRL number than their counterparts. Note that it cannot be used to replace the leaf CRL (the one used to track certificates revoked by the Puppet Intermediate CA certificate), only CRLs further up the chain, which correspond to certs belonging to your organization's PKI. If an updated version of the Puppet leaf CRL is submitted in the body, it is ignored.

Note: If you are using curl to submit to this endpoint, use the data-binary flag for the body, instead of the data flag. The data-binary flag preserves newlines in the request body, which is required for the CRLs to be parsed correctly.

Supported HTTP Methods

PUT

Supported Response Formats

text/plain

Parameters

No parameters, only the body which contains the contents of the CRL update

Example

PUT /puppet-ca/v1/certificate_revocation_list

BODY
-----BEGIN X509 CRL-----
MIIBizB1AgEBMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMTB1Jvb3QgQ0EXDTIx
MDUxMzE3MTAyOFoXDTI2MDUxMzE3MTAyOFqgLzAtMB8GA1UdIwQYMBaAFIAc7NI2
Jesrcny7yh8B2fzCEte7MAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4IBAQAn
j87vWjd9qr9BZq2rf92Ku/owQlAJTHwIPAKmmUyzMF+Aw0P2nlF7FPDiOaXXGm9x
KWwstCaefp4jbru+pD5cH/UFSCyLBuUlfzqtMvF4SL7/CjGZa4W3WW4a+fqlv/HI
U8Wxjqa00LBV77rqJm54z2QUlqgCPD/7r2Pqy5rrfrZTGGy58727whtSsV5sAWOw
kxzRogsSm23Uh4//lmEx0BYJYTaz+HdWaEckpJU1S3DfBBrh5Rv2AG/OjsRfUvgC
tB0SGdKL0EM8KG4GxbeXTvq8HuTKUp2HaWvGWpdojyxqwwiAtNaOHt76qpBkRe3f
igWihATMaKzytX4xXk1C
-----END X509 CRL-----

HTTP/1.1 200 OK
Content-Type: text/plain

Successfully updated CRLs
PUT /puppet/ca/v1/certificate_revocation_list

BODY
 ----BEGIN X509 CRL-----
 Invalid CRL Content
 ----END X509 CRL------

HTTP/1.1 400 Bad Request
Content-Type: text/plain

No valid CRLs submitted