Automated certreq for GNU/Linux

Last updated 2018-01-25


Microsoft provides the certreq utility for its non-free operating system. This tool makes it easy to get certificates from the Microsoft sub-CA on your network.

GNU Linux hosts do not get that tool, so a viable alternative is to script the interaction with the website. My content in this post is shamelessly ripped from a StackOverflow post and beefed up.

In my research, I came across a question: “How to submit certificate request from red hat to windows ca“.

The solution

The script

I present my shell script,
This shell script:

  • Generates CSR and submits it to the Microsoft Sub-CA.
  • Saves private key, public key (the certificate), and cert chain to a temporary directory
  • Removes the temp directory after 5 minutes automatically to remove the private key
  • Sends to standard out the file names and purposes, for consumption by automation tool, e.g., ansible

Code walkthrough

Instead of copying and pasting the whole code here, I will discuss only snippets.
Here is the usage block.

usage: [-dhV] [-u username] [-p password] [-w tempdir] [-t template] [--cn CN] [--ca ]
version ${certreqversion}
 -d debug   Show debugging info, including parsed variables.
 -h usage   Show this usage block.
 -V version Show script version number.
 -u username User to connect via ntlm to CA. Can be "username" or "domain\\username"
 -p password
 -w workdir  Temp directory to work in. Default is a (mktemp -d).
 -t template Template to request from CA. Default is "ConfigMgrLinuxClientCertificate"
 --cn        CN to request. Default is the \$( hostname -f )
 --ca        CA hostname or base URL. Example:
Return values under 1000: A non-zero value is the sum of the items listed here:
 0 Everything worked
 1 Cert file is still a CSR
 2 Cert file is html, probably due to permissions/credentials issue
 4 Return code of curl statement that saves cert file is non-zero
 8 Cert file does not contain whole certificate
16 Cert does not contain an issuer
Return values above 1000:
1001 Help or version info displayed
1002 Count or type of flaglessvals is incorrect
1003 Incorrect OS type
1004 Unable to find dependency
1005 Not run as root or sudo

All the magic happens at line 239, the main loop. These blocks perform the different web requests, and are the real meat of this script.

Block GENERATE PRIVATE KEY makes the csr and saves in to the file that will eventually hold the cert.

   openssl req -new -nodes \
      -out "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" \
      -keyout "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.key" \
      -subj "${CERTREQ_SUBJECT}"
   CERT="$( cat "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" | tr -d '\n\r' )"
   CERT="$( echo ${CERT} | sed -e 's/+/%2B/g' | tr -s ' ' '+' )"


   OUTPUTLINK="$( curl -k -u "${CERTREQ_USER}:${CERTREQ_PASS}" --ntlm \
      "${CERTREQ_CA}/certsrv/certfnsh.asp" \
      -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
      -H 'Accept-Encoding: gzip, deflate' \
      -H 'Accept-Language: en-US,en;q=0.5' \
      -H 'Connection: keep-alive' \
      -H "Host: ${CERTREQ_CAHOST}" \
      -H "Referer: ${CERTREQ_CA}/certsrv/certrqxt.asp" \
      -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' \
      -H 'Content-Type: application/x-www-form-urlencoded' \
      --data "Mode=newreq&CertRequest=${CERT}&CertAttrib=${CERTATTRIB}&TargetStoreFlags=0&SaveCert=yes&ThumbPrint=" | grep -A 1 'function handleGetCert() {' | tail -n 1 | cut -d '"' -f 2 )"

FETCH SIGNED CERTIFICATE downloads the cert that the previous page links to.

   curl -k -u "${CERTREQ_USER}:${CERTREQ_PASS}" --ntlm $CERTLINK \
      -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
      -H 'Accept-Encoding: gzip, deflate' \
      -H 'Accept-Language: en-US,en;q=0.5' \
      -H 'Connection: keep-alive' \
      -H "Host: ${CERTREQ_CAHOST}" \
      -H "Referer: ${CERTREQ_CA}/certsrv/certrqxt.asp" \
      -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' \
      -H 'Content-Type: application/x-www-form-urlencoded' > "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt"

My additions to this secret sauce start with GET NUMBER OF CURRENT CA CERT. I needed the cert chain, so I automated fetching it from the server.
You have to find out how many different CA certs are being offered by this server, and then use the latest.

   RESPONSE="$( curl -s -k -u "${CERTREQ_USER}:${CERTREQ_PASS}" --ntlm \
      "${CERTREQ_CA}/certsrv/certcarc.asp" \
      -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
      -H 'Accept-Encoding: gzip, deflate' \
      -H 'Accept-Language: en-US,en;q=0.5' \
      -H 'Connection: keep-alive' \
      -H "Host: ${CERTREQ_CAHOST}" \
      -H "Referer: ${CERTREQ_CA}/certsrv/certrqxt.asp" \
      -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' \
      -H 'Content-Type: application/x-www-form-urlencoded' )"
   CURRENTNUM="$( echo "${RESPONSE}" | grep -cE 'Option' )"

   CURRENT_P7B="$( curl -s -k -u "${CERTREQ_USER}:${CERTREQ_PASS}" --ntlm \
      "${CERTREQ_CA}/certsrv/certnew.p7b?ReqID=CACert&Renewal=${CURRENTNUM}" \
      -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
      -H 'Accept-Encoding: gzip, deflate' \
      -H 'Accept-Language: en-US,en;q=0.5' \
      -H 'Connection: keep-alive' \
      -H "Host: ${CERTREQ_CAHOST}" \
      -H "Referer: ${CERTREQ_CA}/certsrv/certrqxt.asp" \
      -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' \
      -H 'Content-Type: application/x-www-form-urlencoded' )"

   echo "${CURRENT_P7B}" | openssl pkcs7 -print_certs -out "${CERTREQ_TEMPFILE}"

I like having the domain name in the filename, so this last part renames the cert chain.

   # will read only the first cert, so get domain of issuer of it.
   CA_DOMAIN="$( openssl x509 -in "${CERTREQ_TEMPFILE}" -noout -issuer 2>&1 | sed -r -e 's/^.*CN=[A-Za-z0-9]+\.//;' )"
   mv -f "${CERTREQ_TEMPFILE}" "${CERTREQ_WORKDIR}/${CHAIN_FILE}" 1>/dev/null 2>&1

The ansible role

I needed this task deployed to my whole environment, so I rolled it into an ansible role saved to github and also added another feature, where it converts the generated cert files into a pcks12 (pfx) file for a specific application’s need.



  6. Manipulating ssl certificates

Add custom kickstart file and root ca certificates to iso file

Introduction and goals

This is intended to be one of my longer posts. This article describes how to accomplish the following tasks:

  1. Insert custom kickstart files into an iso file
  2. Insert custom root CA certificates into the initrd.img of an iso file, so you can fetch a custom repository over https
  3. Write a sample kickstart file
  4. Open up the initrd.img to add more files

The example file used is Fedora-Workstation-netinst-x86_64-27-1.6.iso available from

The files

You will need a few files, including:

  1. kickstart file
  2. Root certificate

Kickstart files

My 2 different kickstart files are
fc27c-ks.cfg (saved to WordPress as a .doc, but it is truly just a plain text file)
Quite a few things to note about the content:
I had to use http for all my local repositories, even though I got the ca certficate loaded. I think how my ISP bounces back my https traffic causes enough slowdown on the ssl handshake it prevents anaconda from using it correctly. It was working earlier in the day but I had to disable it.
Observe in the %pre scriptlet the lines

cp -p /run/install/repo/ /etc/pki/ca-trust/source/anchors 2>/dev/null || :
update-ca-trust || :

These 2 lines load up the root certificate authority cert into the running initrd trusted keys, so the ssl connections are trusted.
Please see the attached or indicated files.

Root certificate

A root certificate is the certificate that signs other certificates for that namespace. I use my own in my ipa domain, and I use it on my web server. So to connect with ssl because I want to encrypt everything possible, I need this cert in the runtime environment on the iso disc image. My root ca file is
not shared on this blog. Go get your own!

The steps

Mount original iso

mkdir -p /mnt/originaliso
mount -v -o loop /mnt/public/Support/SetupsBig/Linux/Fedora-Workstation-netinst-x86_64-27-1.6.iso /mnt/originaliso/

Copy contents to work directory

mkdir -p /mnt/newiso ; cd /mnt/
time cp -pr originaliso/* newiso/

Copy in kickstart files

cp -pf /mnt/public/Support/Platforms/Fedora/fc27{x,c}-ks.cfg /mnt/newiso/
chown root:root /mnt/newiso/*ks.cfg
echo done

Tell disc to use new ks file

This task:

  • Adds xfce and cinnamon menu options
  • Find all the append= lines, and add to the end this attribute: ks=hd:LABEL=fc26:/fc26x-ks.cfg

The important piece is to have the LABEL= the volume name that you give the mkisofs -V “label” a few commands later in this article. If you really want to use a file:/ks.cfg, then you have to open up the initrd, which Appendix A demonstrates.

Fedora 27 xfce and cinnamon
sed -r -e "/append/{s/LABEL=([A-Za-z0-9_\-]*)(\s|:)/LABEL=${label}\2/;s/quiet//;};" -e '/label linux/,/^\s*$/H;' -e '/^\s*$/{x;};' "${tf}" | \
awk "BEGIN{a=0;b=0;labels[1]=\"xfce\";labels[2]=\"cinnamon\";} /^label [^l]/{b=b+1} b < 1 && /label linux/{a=a+1;\$0=\$0\" \"labels[a];} b < 1 && /menu label/{\$0=\$0\" \"labels[a];} b < 1 && /append/{\$0=\$0\"ks=hd:LABEL=${label}:/${label}\"substr(labels[a],1,1)\"-ks.cfg\";} {print;}" > "${tf}.$$"
mv -f "${tf}.$$" "${tf}"
Centos 7
sed -r -e "/append/{s/LABEL=([A-Za-z0-9_\-]*)(\s|:)/LABEL=${label}\2/;s/quiet//;};" "${tf}" | \
awk "BEGIN{a=0;b=0;labels[1]=\"with my bgstack15 custom kickstart\";} /^label [^l]/{b=b+1} b < 1 && /label linux/{a=a+1;\$0=\$0\" \"labels[a];} b < 1 && /menu label/{\$0=\$0\" \"labels[a];} b < 1 && /append/{\$0=\$0\"ks=hd:LABEL=${label}:/${label}-ks.cfg\";} {print;}" > "${tf}.$$"
mv -f "${tf}.$$" "${tf}"

Copy in certificate file

This will be used by the kickstart file and injected into the running initrd so https connections can be trusted to download the repos.

/bin/cp -pf /mnt/public/www/smith122/certs/ /mnt/newiso/
chown root:root /mnt/newiso/*.crt

Make new iso

Fedora 27
ti="${label}manual.iso"; cd /mnt/newiso;
rm -f /mnt/newiso/"${ti:-NOTHINGTODELETE}" ; __func() { mkisofs -V "${label}" -m '*.iso' -o "../${ti}" -b isolinux/isolinux.bin -c isolinux/ -no-emul-boot -boot-load-size 4 -boot-info-table -r -J -v -T . ; implantisomd5 "/mnt/${ti}" ; } ; time __func
CentOS 7
ti=centos7manual.iso ; cd /mnt/newiso ;
rm -f /mnt/newiso/"${ti:-NOTHINGTODELETE}" ; __func() { mkisofs -V "${label}" -m '*.iso' -o "../${ti}" -b isolinux/isolinux.bin -c isolinux/ -no-emul-boot -boot-load-size 4 -boot-info-table -r -J -v -T . ; implantisomd5 "/mnt/${ti}" ; } ; time __func

Copy to server so vm1 can access

time su bgstack15 -c "cp -pf /mnt/${ti} /mnt/public/Support/SetupsBig/Linux/";
echo done

Next steps

After that, the iso is ready to be burned to disc or used by virt-install. I have not actually tried burning a disc or usb drive, but I assume it’s pretty similar to a regular Live iso.
For virt-install, I was simply unable to get my fancy customized iso to work fully automatically. For a regular, unattended vm install, I use the regular Fedora netinstall iso and I inject my kickstart file.

vm=fc27x-02a ; time sudo virt-install -n "${vm}" --memory 2048 --vcpus=1 --os-variant=fedora25 --accelerate -v --disk path=/var/lib/libvirt/images/"${vm}".qcow2,size=20 -l /mnt/public/Support/SetupsBig/Linux/Fedora-Workstation-netinst-x86_64-27-1.6.iso  --initrd-inject=/mnt/public/Support/Platforms/Fedora/fc27x-ks.cfg --extra-args "ks=file:/fc27x-ks.cfg SERVERNAME=${vm}" --debug --network type=direct,source=eno1

And to destroy that vm when I’m done with it:

vm=fc27x-02a; sudo virsh destroy "${vm}"; sudo virsh undefine --remove-all-storage "${vm}";

But this custom iso that we built is ready to be inserted into a vm, where you can manually select the xfce or the cinnamon option. After that initial menu choice, everything else is automatic and unattended.


Appendix A: Modify initrd.img file

Right after step “Copy in certificate file,” if you want to modify the initrd.img file, you can use these steps:

Open initrd.img xz file

mkdir -p /mnt/initrd1; cd /mnt/initrd1; time xzcat /mnt/originaliso/isolinux/initrd.img | cpio -d -i -m

Perform any file modifications to that filesystem in /mnt/initrd1.

Assemble new initrd.img file

cd /mnt/initrd1 ; time find . | cpio -o -H newc | xz --check=crc32 --x86 --lzma2=dict=512KiB > /mnt/newiso/isolinux/initrd.img




Internal documents

~/2017/Systems/guides/Add custom kickstart to iso file.odt

Generate certificate with SubjectAltName attributes in FreeIPA


Last updated 2017-11-12

If you want to serve webpages with ssl certificates that have Subject Alternative Names, and you use FreeIPA, you will need to take a few steps to make this possible. If you got to this page, you probably already know the importance of SAN on a cert.

This document will demonstrate how to get IPA to sign a certificate that has the ever-important SubjectAltName.

Example environment

Freeipa domain is at

Host is serving https, and I want to also serve on other domain names:

You don’t even need to have all the SANs in the same domain!

Generate certificate with SAN in freeipa

Generate private key

openssl genrsa -aes256 -out /root/certs/ 2048

Use a simple passphrase you can remember.

Generate certificate signing request

Before you generate the csr, you will need to modify the default openssl.cnf file so it will make a csr with Subject Alternative Names.
In CentOS 7, that file is /etc/pki/tls/openssl.cnf.
In section [req] add line

req_extensions = v3_req

In section [ v3_req ] add lines (to add a new section as well)

subjectAltName = @alt_names

DNS.1 =
DNS.2 =
DNS.3 =
DNS.4 =

You can also include IP.1 = entries.
On my CentOS 7 system, here is the diff:

# diff /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.2017-05-19.01 
< req_extensions = v3_req # The extensions to add to a certificate request --- > # req_extensions = v3_req # The extensions to add to a certificate request
< subjectAltName = @alt_names
< [alt_names]
< DNS.1 =
< DNS.2 =
< DNS.3 =
< DNS.4 =


Make entries in freeipa

To be able to sign a certificate in freeipa with whatever SANs you want, you need to have a host entry for each domain.
So manually create the hosts. You can force it; they are just dummy hosts.
Also manually create HTTP service entries for each of those hosts.


I used the web interface for this, because it was easier for me. But everything in freeipa can be done with the cli; I simply haven’t done the research for how to make new host objects in FreeIPA on the command line yet.

Sign the certificate

In the web UI, you can navigate to Identity -> Services -> principal HTTP/
Select the Actions button, and then New Certificate.
Paste the contents of the csr file.

Retrieve the certificate

In the web UI, under the section Service Certificate, select the Actions button -> Get certificate. You can copy the text and save it in the terminal.



  1. Generate CSR with SAN
  2. Generate each host and HTTP service
  3. Generate CSR

Manipulating ssl certificates


Last updated 2017-12-14

SSL certificates are used in almost every network application to encrypt traffic to increase the safety of communications.

Manipulating ssl certs

Converting .crt to .pem

A .crt file can be identical to a .pem: They are both a b64-encoded block.

openssl x509 < rapidssl.crt -out rapidssl.pem

A .crt is usually the public key, and a .key is usually the private key.

Converting .crt set to a .pfx for Windows

Run each step separately because you might need to enter an import or export password. Use a simple password for each one for ease.

openssl pkcs12 -export -in wildcard-2016.crt -inkey wildcard-2016.key -out wildcard-2016.p12 -name wildcard -CAfile rapidssl-2016.crt -caname root
openssl pkcs12 -in wildcard-2016.p12 -out wildcard-2016.pem -nodes –clcerts
openssl x509 -in rapidssl-2016.crt -out rapidssl-2016.pem
cat wildcard-2016.pem rapidssl-2016.pem > wildcardchain-2016.pem
openssl pkcs12 -export -in wildcardchain-2016.pem -out wildcardchain-2016.pfx


Converting pkcs7 to pkcs12

openssl pkcs7 -print_certs -in crx.p7b | openssl pkcs12 -export -inkey crx.key -out crx.pfx -certfile crx.crt

Preparing hash file for ldap

Openldap can use ssl to encrypt its traffic, and the file needs to be rather specific. Around here, the /etc/openldap/ldap.conf file tends to have these directives:

URI ldaps://
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts

And in /etc/openldap/cacerts you might see these files:

4669ff29.0 -> authconfig.pem
authconfig.pem (the examplemicrosoft certs catted)

Observe that there is a hashed file as a symlink to the real cert file. Openldap will look for the hashed filename, whether it is a real file or just a symlink.
You can generate the hashed file by running c_rehash /etc/openldap/cacerts (or try cacertdir_rehash) from package openssl-perl or you can generate the symlink this way:

cd /etc/openldap/cacerts
ln -sf certs-example-2016.pem "$( openssl x509 -in certs-example-2016.pem -hash -noout ).0"

Reference: Weblink 2

Requesting a certificate signing

A CSR is for when you have a certificate you generated that you want signed by a certificate authority, whether that be the local CA or a public one.
You need a private key to start with, so the genrsa command will generate one.

openssl genrsa -aes256 -out wwwexamplecom-2016.key 2048
openssl req -new -key wwwexamplecom-2016.key -out wwwexamplecom-2016.csr
Enter pass phrase for wwwexamplecom-2016.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Anystate
Locality Name (eg, city) [Default City]:Anytown
Organization Name (eg, company) [Default Company Ltd]:Example Company
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []
Email Address []
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Generally, don’t use a passphrase. If you must, do a simple one like linksys.

Send the csr to someone. This uses the script from bgscripts package. -hs "csr for" wwwexamplecom-2016.csr

Removing passphrase from private key

Apache in particular struggles with a private key protected with a passphrase. Apparently admins just leave the passphrase blank when generating a cert.
If you already applied one, and want to remove the passphrase, just use openssl.

openssl rsa -in old.key -out new.key

It will ask you for the passphrase, and then export the private key to the new file.

Adding AD certs to host trusted certificate store

Procure your AD root CA cert or download it from the certificate authority web portal, which could resemble Save as
Reference: Weblink 4

cp /etc/pki/ca-trust/source/anchors/

Reference: Weblink 5

Signing a certificate

Internal link 3 provides the certificate signing operations for Active Directory.

Adding key to java keystore

You might need to add a certificate to a java-like keystore. It is interesting to note that many java keystore files are actually symlinks to /etc/pki/java/cacerts.

/usr/lib/jvm/java/jre/bin/keytool -import -trustcacerts -alias "myaliasname" -storetype jks -keystore /usr/lib/jvm/java/jre/lib/security/cacerts -file ./comodo.cer -storepass changeit

Testing ssl cert from server

To find out if the https or other ssl-enabled service is serving the right certificate, you can use openssl as a client and pull down the ssl cert.

printf '\n' | openssl s_client -connect

And observe the output for the certificate information.
To test SNI, add the parameter -servername
Reference: weblink 6

Convert cer to pem format

openssl x509 -inform der -in certificate.cer -out certificate.pem

Reference: weblink 7

Read info from pkcs12 file

openssl pkcs12 -in cert.pfx -passin pass:'' -nodes -clcerts | openssl x509 -noout -subject -issuer -startdate -enddate

Delineate certificates in chain being served by a web connection

certchain="$( mktemp )" ; echo '' | openssl s_client -showcerts -connect > ${certchain} ; certcount=$( grep -cE '^-----BEGIN CERT' ${certchain} 2>/dev/null ); cat ${certchain} | { x=0 ; while test $x -lt ${certcount} ; do openssl x509 -noout -subject -issuer -dates ; x=$(( x + 1 )) ; done ; }



  1. Pkcs12 chained certificates demo:
  2. How to get the cert file hash without the c_rehash tool
  3. Removing passphrase from ssl key
  4. AD get root CA certificate