CertAccord – How To Create Trusted Certificates From Command Line On MacOS X
Creating a trusted X.509 certificate on Apple’s MacOS X (as well as Linux) is fast and simple using CertAccord Enterprise. Most any IT system administrator can create certificates without having to be a PKI expert.
This article shows you how to create a trusted X.509 certificate from the MacOS X command line (bash prompt) in just a few minutes. Once the certificate is created it will be installed locally and managed automatically (including automatic renewals).
The CertAccord Enterprise Server must be installed and configured to access your enterprise Microsoft Certificate Authority.
STEP 1 – Install CertAccord Enterprise Agent
If you don’t already have the CertAccord Agent installed, you can install it by copying the CertAccord Agent installer to your MacOS X system. Then run the installer:
sudo hdiutil attach /tmp/cmbagent-version-platform.dmg sudo '/Volumes/CertAccord Installer version/cmbagent/version.app/Contents/MacOS/installbuilder.sh' --mode unattended sudu hdiutil detach '/Volumes/CertAccord Installer version'
This command will install the Agent into the default location of
STEP 2 – Register Agent
export PATH=/Applications/CertAccord/bin:$PATH cmb register server=myserver
Change myserver to be the hostname of the CertAccord Enterprise Server.
When you run this command, the Agent will download the CA trust information from the server, generate a private key locally (configured to adhere to the policies given by the server), and then submit the registration request to the server.
STEP 3 – Create Certificate
To create a web server certificate for use with Apache HTTPD or other web server, run the following command:
cmb cert create purpose=webserver
This command will automatically create a CSR, submit it to the enterprise CA, and install the certificate once issued. This is all done using the PKI policies configured on the CertAccord Enterprise Server and your enterprise CA. No knowledge of these policies or configuration requires are needed by the system administrator when running this command.
Here is example output:
Creating Certificate PURPOSES: [WebServer] Created certificate 634RJ65d [SUBJECT: "dune.contoso.com" PURPOSES: WebServer EXPIRES: Jul 14 2021 13:52:14 PDT] Saved certificate 634RJ65d [SUBJECT: "dune.contoso.com" PURPOSES: WebServer EXPIRES: Jul 14 2021 13:52:14 PDT] to AgentProfile Apply Certificate 634RJ65d [SUBJECT: "dune.contoso.com" PURPOSES: WebServer EXPIRES: Jul 14 2021 13:52:14 PDT] Exported Certificate 634RJ65d [SUBJECT: "dune.contoso.com" PURPOSES: WebServer EXPIRES: Jul 14 2021 13:52:14 PDT] to /var/cmb/cert/dune.magnicomp.com-webserver.crt Exported PrivateKey Grq8jB3h [RSA 2048] to /var/cmb/cert/dune.contoso.com-webserver.key Applying certificate to Apache HTTP Web Server: ID: 634RJ65d PURPOSE: WebServer COMMAND [/usr/sbin/service apache2 reload] ran successfully Reloaded Apache HTTP Web Server Apply certificate to Apache HTTP Web Server: ID: 634RJ65d RESULT: Succeeded
The output shows that a certificate was created, saved to the local Agent database, and a copy of the certificate was exported to
/var/cmb/cert/dune.contoso.com-webserver.crt. The Apache HTTPD server was also reloaded so that it re-read its configured certificate files.
A few key take-aways:
- Using the CertAccord Agent required no prior knowledge of the enterprise PKI policies for keys or certificates.
- Because the certificate was created by the enterprise CA and is not self-signed, the certificate is automatically verifiable by any application in the enterprise.
- The Agent manages the life-cycle of the certificate. That means it will automatically renew the certificate without any human intervention.