CertAccord© – How To Create Trusted Certificates From Command Line On MacOS
Creating a trusted X.509 certificate on Apple’s MacOS (as well as Linux) is fast and simple using CertAccord Enterprise. Most any IT system administrator can create certificates without having to be a PKI expert. Often times IT staff are thinking about how to create a certificate signing request mac when in fact they should be thinking about how to create a certificate using an automated solution such as CertAccord Enterprise.
This article shows you how to create a trusted X.509 certificate from the MacOS command line (bash prompt) in just a few minutes. Once the certificate is created it will be installed locally and managed automatically (including automatic renewals).
How to Create a Certificate Signing Request on Mac
Creating a Certificate Signing Request (CSR) on Mac is a typical operating that usually involves using the openssl command to create a CSR file. Once the CSR is created it is manually submitted to a Certificate Authority such as Microsoft ADCS. Once the CA issues the certificate it is manually copied to the MacOS endpoint and installed. This is a slow, manual process that must be repeated whenever the certificate expires.
A much better alternative is to use CertAccord Enterprise to automate not only the creation of the certificate but also the renewal. You can even automatically push certificates from the CertAccord Enterprise server to MacOS endpoints without any manual processes. No CSR files are ever needed.
The CertAccord Enterprise Server must be installed and configured to access your enterprise Microsoft Certificate Authority.
STEP 1 – Install CertAccord Enterprise Agent
If you don’t already have the CertAccord Agent installed, you can install it by copying the CertAccord Agent installer to your MacOS system. Then run the installer:
sudo hdiutil attach /tmp/cmbagent-version-platform.dmg sudo '/Volumes/CertAccord Installer version/cmbagent/version.app/Contents/MacOS/installbuilder.sh' --mode unattended sudu hdiutil detach '/Volumes/CertAccord Installer version'
This command will install the Agent into the default location of
STEP 2 – Register Agent
export PATH=/Applications/CertAccord/bin:$PATH cmb register server=myserver
Change myserver to be the hostname of the CertAccord Enterprise Server.
When you run this command, the Agent will download the CA trust information from the server, generate a private key locally (configured to adhere to the policies given by the server), and then submit the registration request to the server.
STEP 3 – Create Certificate
To create a web server certificate for use with Apache HTTPD or other web server, run the following command:
cmb cert create purpose=webserver
This command will automatically create a CSR, submit it to the enterprise CA, and install the certificate once issued. This is all done using the PKI policies configured on the CertAccord Enterprise Server and your enterprise CA. No knowledge of these policies or configuration requires are needed by the system administrator when running this command.
Here is example output:
Creating Certificate PURPOSES: [WebServer] Created certificate 634RJ65d [SUBJECT: "dune.contoso.com" PURPOSES: WebServer EXPIRES: Jul 14 2021 13:52:14 PDT] Saved certificate 634RJ65d [SUBJECT: "dune.contoso.com" PURPOSES: WebServer EXPIRES: Jul 14 2021 13:52:14 PDT] to AgentProfile Apply Certificate 634RJ65d [SUBJECT: "dune.contoso.com" PURPOSES: WebServer EXPIRES: Jul 14 2021 13:52:14 PDT] Exported Certificate 634RJ65d [SUBJECT: "dune.contoso.com" PURPOSES: WebServer EXPIRES: Jul 14 2021 13:52:14 PDT] to /var/cmb/cert/dune.magnicomp.com-webserver.crt Exported PrivateKey Grq8jB3h [RSA 2048] to /var/cmb/cert/dune.contoso.com-webserver.key Applying certificate to Apache HTTP Web Server: ID: 634RJ65d PURPOSE: WebServer COMMAND [/usr/sbin/service apache2 reload] ran successfully Reloaded Apache HTTP Web Server Apply certificate to Apache HTTP Web Server: ID: 634RJ65d RESULT: Succeeded
The output shows that a certificate was created, saved to the local Agent database, and a copy of the certificate was exported to
/var/cmb/cert/dune.contoso.com-webserver.crt. The Apache HTTPD server was also reloaded so that it re-read its configured certificate files.
In this article we have learned not only about how to create a certificate signing request mac is not the way to think about the problem, but that automating the entire certificate lifecycle is easily done.
A few key take-aways:
- Using the CertAccord Agent required no prior knowledge of the enterprise PKI policies for keys or certificates.
- Because the certificate was created by the enterprise CA and is not self-signed, the certificate is automatically verifiable by any application in the enterprise.
- The Agent manages the life-cycle of the certificate. That means it will automatically renew the certificate without any human intervention.
To learn more about CertAccord Enterprise, please reach out to us today:
Schedule A Demo