Certificates Autoenrollment
Certificates autoenrollment is the process of automatically requesting and renewing certificates without user
interaction.
How to configure a machine for certificates autoenrollment
Open the CERN Host Certificates
Autoenrollment configuration page and follow the instructions.
How AutoEnrollment works on Windows
Auto-enrolled certificates will be installed in the machine certificate store, and can be viewed using the
Management Console.
After you have configured your machine for autoenrollment, it will take some time before the policy is actually
applied. This should happen when the machine credentials are renewed, which usually happens once a day.
If you want to speed up the process, you can run the command gpupdate /force
from an administrator
command prompt and then logoff and logon again. Alternatively, you can also restart the machine.
If you need to renew the certificate, for example because you need different Subject Alternative Names, you can
just delete the certificate from the machine certificate store, and then wait for the automatic re-enrollment or
force the machine to request the certificate (from the Certificates mmc, right click on local computer certificates
-> all tasks -> automatically enroll and retrieve certificates).
How AutoEnrollment works on Linux
AutoEnrollment support for Linux
machines is currently under development. Please report any problem via the Service Desk (phone +41 22 76 77777 or
service-desk@cern.ch) or the
Service Portal.
Install 'cern-get-certificate' on your system:
# /usr/bin/yum install cern-get-certificate
Enable the autoenrollement process and install certificate:
# /usr/sbin/cern-get-certificate --autoenroll [ --grid ]
Check status with:
# /usr/sbin/cern-get-certificate --status [ --grid ]
Renew the certificate:
# /usr/sbin/cern-get-certificate --renew [ --grid ] [--force ]
In all the cern-get-certificate
commands, specify the --grid
option to configure
autoenrollment for grid host certificates; if the option is not specified, CERN host certificates are used.
Please see man cern-get-certificate
for advanced options which can be adjusted according to needs in
the configuration file.
Note: cern-get-certificate
requires standard linux setup at CERN: in particular system Kerberos
credentials (keytab) must be configured correctly with cern-get-keytab
.
How to configure Subject Alternative Names (SANs) for an auto-enrolled host certificate
Since the certificate is requested and installed on the machine without user interaction, Subject Alternative
Names cannot be specified in the certificate request.
For this reason, SANs are determined by the CERN Certification Authority reading LDAP attributes of the certificate
subject.
SANs for a machine must be configured from the autoenrollment configuration page: