-
Notifications
You must be signed in to change notification settings - Fork 21
Usage
The application is currently not designed to be used by itself, but through certmonger. This page will give an example on how to issue a certificate based on the Machine template. This template should be available by default for any Workstation who is a Windows Domain Member.
Please note that it is the Template name that is used, not the Template display name (which in this case is Computer). Whatever template is used, it is important the the client has permission to Enroll (which is the case for all clients who are a member of Domain Computers).
Before proceeding, verify that cepces is registered with certmonger:
# getcert list-cas
...
CA 'cepces':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/sbin/cepces-submit
If not, go back to the Installation page and follow the instructions on how to register it. This should be taken care of automatically by the repository packages available.
If cepces appear in the list, use this CA configuration as with any other. Please consult the official certmonger documentation for further instructions.
Use the following command to request a new certificate (substitute identifier, key and certificate paths as required):
# getcert request -c cepces -T Machine -I MachineCertificate -k /etc/pki/tls/private/machine.key -f /etc/pki/tls/certs/machine.crt
New signing request "MachineCertificate" added.
This submits a new certificate signing request based on the template Machine, with the local identifier MachineCertificate. A key is generated and stored at /etc/pki/tls/private/machine.key, with the certificate eventually stored at /etc/pki/tls/certs/machine.crt.
To monitor the progress of the request, issue the following command:
# getcert list
Number of certificates and requests being tracked: 1.
Request ID 'MachineCertificate':
status: SUBMITTING
stuck: no
key pair storage: type=FILE,location='/etc/pki/tls/private/machine.key'
certificate: type=FILE,location='/etc/pki/tls/certs/machine.crt'
CA: cepces
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
As shown in this example, the Certificate Signing Request (CSR) is still being submitted. It may take some time before the CA processes the request. Once the certificate has been issued, the status of the request ID will change from SUBMITTING to MONITORING:
# getcert list
Number of certificates and requests being tracked: 1.
Request ID 'MachineCertificate':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/etc/pki/tls/private/machine.key'
certificate: type=FILE,location='/etc/pki/tls/certs/machine.crt'
CA: cepces
issuer: CN=<My CA>
subject: CN=<my hostname>
expires: 2017-08-15 17:37:02 UTC
dns: <my hostname>
key usage: digitalSignature,keyEncipherment
eku: id-kp-clientAuth,id-kp-serverAuth
certificate template/profile: Machine
pre-save command:
post-save command:
track: yes
auto-renew: yes
The certificate should now be available for use at the specified location.