Getting the cert and chain in one file in certmonger

Some servers want the server cert and CA chain all in one file. There isn’t an option in certmonger to do this but it can be completed using the post-save command. This is a command specified in the request that executes after a certificate has been issued and saved to disk.

The option does not accept bash syntax. It executes a single command. Generally speaking for complex operations your best bet is to put it into a separate bash script that is executed, which we’ll do here.

I created /usr/local/bin/ with the contents:

# concatenate a server cert and the chain into a single file


cat $cert $chain > $target

IMPORTANT: Add your own error checking.

Use certmonger to request a cert with this as the command:

ipa-getcert request -f /etc/pki/tls/certs/test.pem \
-k /etc/pki/tls/private/test.key \
-C "/usr/local/bin/ /etc/pki/tls/certs/test.pem /etc/ipa/ca.crt /etc/pki/tls/certs/whole.pem"

This is an example on an IPA-enrolled machine where the chain already exists in /etc/ipa/ca.crt. If you need the chain as well you can add -F /etc/pki/tls/certs/chain.pem and use that in the concatenation.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s