Skip Navigation Links.

Certificates Autoenrollment

Certificates autoenrollment is the process of automatically requesting and renewing certificates without user interaction.

How to configure a machine for certificates autoenrollment

Open the CERN Host Certificates Autoenrollment configuration page and follow the instructions.

How AutoEnrollment works on Windows

Auto-enrolled certificates will be installed in the machine certificate store, and can be viewed using the Management Console.

After you have configured your machine for autoenrollment, it will take some time before the policy is actually applied. This should happen when the machine credentials are renewed, which usually happens once a day.

If you want to speed up the process, you can run the command gpupdate /force from an administrator command prompt and then logoff and logon again. Alternatively, you can also restart the machine.

If you need to renew the certificate, for example because you need different Subject Alternative Names, you can just delete the certificate from the machine certificate store, and then wait for the automatic re-enrollment or force the machine to request the certificate (from the Certificates mmc, right click on local computer certificates -> all tasks -> automatically enroll and retrieve certificates).

How AutoEnrollment works on Linux

AutoEnrollment support for Linux machines is currently under development. Please report any problem via the Service Desk (phone +41 22 76 77777 or or the Service Portal.

Install 'cern-get-certificate' on your system:

# /usr/bin/yum install cern-get-certificate
Enable the autoenrollement process and install certificate:
# /usr/sbin/cern-get-certificate --autoenroll [ --grid ]
Check status with:
# /usr/sbin/cern-get-certificate --status [ --grid ]
Renew the certificate:
# /usr/sbin/cern-get-certificate --renew [ --grid ] [--force ]

In all the cern-get-certificate commands, specify the --grid option to configure autoenrollment for grid host certificates; if the option is not specified, CERN host certificates are used.

Please see man cern-get-certificate for advanced options which can be adjusted according to needs in the configuration file.

Note: cern-get-certificate requires standard linux setup at CERN: in particular system Kerberos credentials (keytab) must be configured correctly with cern-get-keytab.

How to configure Subject Alternative Names (SANs) for an auto-enrolled host certificate

Since the certificate is requested and installed on the machine without user interaction, Subject Alternative Names cannot be specified in the certificate request.

For this reason, SANs are determined by the CERN Certification Authority reading LDAP attributes of the certificate subject.

SANs for a machine must be configured from the autoenrollment configuration page:

Created: 3/10/2020
Last reviewed: 5/2/2022
Send the page Send  |  Printable version Print