Forge Home


Truncate the CRL issued by the Puppet CA


182 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.3.0 (latest)
  • 0.2.0
  • 0.1.0
released Aug 3rd 2023
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x
  • Puppet >= 5.5.1 < 7.0.0
  • , , , , ,
  • crl_truncate

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'm0dular-crl_truncate', '0.3.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add m0dular-crl_truncate
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install m0dular-crl_truncate --version 0.3.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



m0dular/crl_truncate — version 0.3.0 Aug 3rd 2023


Table of Contents

  1. Description
  2. Usage - Configuration options and additional functionality


This module can be used to truncate the CRL issued by the Puppet CA. That is, create a new CRL issued by the Puppet CA with no revoked certificates. There are several reasons to do this, including:

  • The CRL has grown very large, slowing down some operations
  • It has become corrupted or lost
  • You accidentally revoked an important certificate

The new CRL will be copied to the master's ssldir and the ca/ directory underneath.

Note that this module will only work with the CA included with Puppet, not an external or intermediate CA. It is compatible with a single or multi-length CRL chain, the latter being the default starting in PE 2019.



bolt task run --targets <node-name> crl_truncate::crl_truncate ssldir=<value>

- ssldir: Optional[String[1]]
    The location of the Puppet ssl dir

Puppet Task

puppet task run crl_truncate::crl_truncate [ssldir=<value>] <[--nodes, -n <node-names>] | [--query, -q <'query'>]>

- ssldir : Optional[String[1]]
    The location of the Puppet ssl dir

PE Console

Select crl_truncate::crl_truncate from the "Task" dropdown. Target the master by choosing "Node list" under the "Select targets" dropdown and run the job.