Host Certificate AutoEnrollment¶
CERN Host Certificate AutoEnrollment and AutoRenewal
CERN Certification Authority (CERN CA) issues host certificates for systems installed on CERN network. This document describes an automated method allowing unattended host certificate installation and automatic renewal.
As root on your system run:
# /usr/bin/yum install cern-get-certificateabove command will install required software and its dependencies on your SLC5, SLC6 or CC7 system.
Please review the content of the configuration file: /etc/sysconfig/cern-get-certificate, default settings should be appropriate in most cases.
# # Configuration file for cern-get-certificate #See man cern-get-certificate for more information.
# private path for certificate key file - default: /etc/pki/tls/private/ keypath=/etc/pki/tls/private/
# path for storing certificate file - default: /etc/pki/tls/certs/ certpath=/etc/pki/tls/certs/
# ownership of certificate files - use numeric IDs # uid - default 0 (root) uid=0 # gid - default 0 (root) gid=0
# perform autorenewal # NOTE: if a service using the certificate is running # at the time renewal happens it should be most likely # restarted after - this can be done using autorenewexec # option below
autorenew=1 #autorenewexec="/sbin/service httpd reload"
# renew if validity shorter than X days - default: 7 days=7
# keytab for host authentication keytab=/etc/krb5.keytab
In order to enable autoenrollment and obtain the host certificate, your system must be configured in CERN standard way, namely cern-get-keytab should be executed in order to obtain host Kerberos credentials before cern-get-certificate is run.
In order to activate, please run as root:
# /usr/sbin/cern-get-certificate --autoenroll [ --grid ]Above command will enable AutoEnrollment on the CERN CA service, issue an certificate signing request (CSR) and use the CSR to obtain, and store, host certificate from CERN CA (or Grid host certificate when --grid option is specified).
You may check the status by running as root:
# /usr/sbin/cern-get-certificate --status [ --grid ]which will produce an output similar to the one below:
In order to renew the certificate, run as root:
cert private key file : present (/etc/pki/tls/private/hostname.cern.ch.key) cert PEM file : present (/etc/pki/tls/certs/hostname.cern.ch.pem) cert DER file : present (/etc/pki/tls/certs/hostname.cern.ch.crt) cert days until expiry : 729 cron autorenewal status: enabled cron autorenewal days : 7 cron exec on autorenew : disabled cert validity (OCSP) : valid autoenrollment status : enabled
# /usr/sbin/cern-get-certificate --renew [ -- force ]In order to disable the autoenrollment and autorenewal, run as root:
# /usr/sbin/cern-get-certificate --noautoenroll
At present only CERN Host Certificates can be obtained using this method, Grid Host Certificates must be obtained directly from CERN CA.(Grid Host Certificates can be obtained too starting Feb 26 2015)
- Certificates can be obtained only for physical/virtual systems, not for DNS-aliases.
- Certificate files names are fixed to be in form hostname.cern.ch.* (but the actual location and ownership of files is configurable)
Please visit: Certificates Autoenrollment documentation page.
# /usr/sbin/cern-get-certificate --helpor
# man cern-get-certificate