Skip to content

Host Certificate AutoEnrollment

CERN Host Certificate AutoEnrollment and AutoRenewal

CERN Certification Authority (CERN CA) issues host certificates for systems installed on CERN network. This document describes an automated method allowing unattended host certificate installation and automatic renewal.

Software installation

As root on your system run:

# /usr/bin/yum install cern-get-certificate

above command will install required software and its dependencies on your CC7 or C8/CS8 system.

Configuration

Please review the content of the configuration file: /etc/sysconfig/cern-get-certificate, default settings should be appropriate in most cases.

#
# Configuration file for cern-get-certificate
#

# private path for certificate key file - default: /etc/pki/tls/private/
keypath=/etc/pki/tls/private/

# path for storing certificate file - default: /etc/pki/tls/certs/
certpath=/etc/pki/tls/certs/

# ownership of certificate files - use numeric IDs
# uid - default 0 (root)
uid=0
# gid - default 0 (root)
gid=0

# perform autorenewal
# NOTE: if a service using the certificate is running
# at the time renewal happens it should be most likely
# restarted after - this can be done using autorenewexec
# option below

autorenew=1
#autorenewexec="/sbin/service httpd reload"

# renew if validity shorter than X days - default: 7
days=7

# keytab for host authentication
keytab=/etc/krb5.keytab

See man cern-get-certificate for more information.

Usage

In order to enable autoenrollment and obtain the host certificate, your system must be configured in CERN standard way, namely cern-get-keytab should be executed in order to obtain host Kerberos credentials before cern-get-certificate is run.

In order to activate, please run as root: 

# /usr/sbin/cern-get-certificate --autoenroll [ --grid ]
Above command will enable AutoEnrollment on the CERN CA service, issue an certificate signing request (CSR) and use the CSR to obtain, and store, host certificate from CERN CA (or Grid host certificate when --grid option is specified).

You may check the status by running as root: 

# /usr/sbin/cern-get-certificate --status [ --grid ]
which will produce an output similar to the one below: 
--------------------------------------------------------------------------------
cert private key file  : present (/etc/pki/tls/private/hostname.cern.ch.key)
cert PEM file          : present (/etc/pki/tls/certs/hostname.cern.ch.pem)
cert DER file          : present (/etc/pki/tls/certs/hostname.cern.ch.crt)
cert days until expiry : 729
cron autorenewal status: enabled
cron autorenewal days  : 7
cron exec on autorenew : disabled
cert validity (OCSP)   : valid
autoenrollment status  : enabled
--------------------------------------------------------------------------------
In order to renew the certificate, run as root: 
# /usr/sbin/cern-get-certificate --renew [ -- force ]
In order to disable the autoenrollment and autorenewal, run as root: 
# /usr/sbin/cern-get-certificate --noautoenroll

Known limitations

  • At present only CERN Host Certificates can be obtained using this method, Grid Host Certificates must be obtained directly from CERN CA. (Grid Host Certificates can be obtained too starting Feb 26 2015)
  • Certificates can be obtained only for physical/virtual systems, not for DNS-aliases.
  • Certificate files names are fixed to be in form hostname.cern.ch.* (but the actual location and ownership of files is configurable)

More information

Please visit: Certificates Autoenrollment documentation page.

Run: 

# /usr/sbin/cern-get-certificate --help
or 
# man cern-get-certificate
This web replaces the old version of the Linux website. Please check linux-old.web.cern.ch for an archived version