CertAccord – How To Create Trusted Certificates From Command Line On Linux

how to create trusted pki x509 certificate from command line on linux

CertAccord – How To Create Trusted Certificates From Command Line On Linux

Creating a trusted X.509 certificate on Linux (Red Hat Enterprise Linux (RHEL), Ubuntu Linux, and MacOS X) is fast and simple using CertAccord Enterprise.  Most any IT system administrator can create certificates without having to be a PKI expert.

This article shows you how to create a trusted X.509 certificate from the Linux command line (bash prompt) in just a few minutes.  Once the certificate is created it will be installed locally and managed automatically (including automatic renewals).

Prerequisites

The CertAccord Enterprise Server must be installed and configured to access your enterprise Microsoft Certificate Authority.

STEP 1 – Install CertAccord Enterprise Agent

If you don’t already have the CertAccord Agent installed, you can install it by copying the CertAccord Agent installer to your Linux system.   Then run the installer:

chmod +x ./cmbagent-1.0-linux-x64.run
./cmbagent-4.0-linux-x64.run --mode unattended

This command will install the Agent into the default location of /usr/local/cmbagent.

STEP 2 – Register Agent

export PATH=/usr/local/cmbagent/bin:$PATH
cmb register server=myserver

Change myserver to be the hostname of the CertAccord Enterprise Server.

When you run this command, the Agent will download the CA trust information from the server, generate a private key locally (configured to adhere to the policies given by the server), and then submit the registration request to the server.

STEP 3 – Create Certificate

To create a web server certificate for use with Apache HTTPD or other web server, run the following command:

cmb cert create purpose=webserver

This command will automatically create a CSR, submit it to the enterprise CA, and install the certificate once issued. This is all done using the PKI policies configured on the CertAccord Enterprise Server and your enterprise CA. No knowledge of these policies or configuration requires are needed by the Linux system administrator when running this command.

Here is example output:

Creating Certificate PURPOSES: [WebServer]
Created certificate 634RJ65d [SUBJECT: "dune.contoso.com" PURPOSES: WebServer EXPIRES: Jul 14 2021 13:52:14 PDT]
Saved certificate 634RJ65d [SUBJECT: "dune.contoso.com" PURPOSES: WebServer EXPIRES: Jul 14 2021 13:52:14 PDT] to AgentProfile
Apply Certificate 634RJ65d [SUBJECT: "dune.contoso.com" PURPOSES: WebServer EXPIRES: Jul 14 2021 13:52:14 PDT]
Exported Certificate 634RJ65d [SUBJECT: "dune.contoso.com" PURPOSES: WebServer EXPIRES: Jul 14 2021 13:52:14 PDT] to /var/cmb/cert/dune.magnicomp.com-webserver.crt
Exported PrivateKey Grq8jB3h [RSA 2048] to /var/cmb/cert/dune.contoso.com-webserver.key
Applying certificate to Apache HTTP Web Server: ID: 634RJ65d PURPOSE: WebServer
COMMAND [/usr/sbin/service apache2 reload] ran successfully
Reloaded Apache HTTP Web Server
Apply certificate to Apache HTTP Web Server: ID: 634RJ65d RESULT: Succeeded

The output shows that a certificate was created, saved to the local Agent database, and a copy of the certificate was exported to /var/cmb/cert/dune.contoso.com-webserver.crt. The Apache HTTPD server was also reloaded so that it re-read its configured certificate files.

Summary

A few key take-aways:

  1. Using the CertAccord Agent required no prior knowledge of the enterprise PKI policies for keys or certificates.
  2. Because the certificate was created by the enterprise CA and is not self-signed, the certificate is automatically verifiable by any application in the enterprise.
  3. The Agent manages the life-cycle of the certificate.  That means it will automatically renew the certificate without any human intervention.

References

Categories