Some servers want the server cert and CA chain all in one file. There isn’t an option in certmonger to do this but it can be completed using the post-save command. This is a command specified in the request that executes after a certificate has been issued and saved to disk.
The option does not accept bash syntax. It executes a single command. Generally speaking for complex operations your best bet is to put it into a separate bash script that is executed, which we’ll do here.
/usr/local/bin/catcerts.sh with the contents:
#!/bin/bash # # concatenate a server cert and the chain into a single file cert=$1 chain=$2 target=$3 cat $cert $chain > $target
IMPORTANT: Add your own error checking.
Use certmonger to request a cert with this as the command:
ipa-getcert request -f /etc/pki/tls/certs/test.pem \ -k /etc/pki/tls/private/test.key \ -C "/usr/local/bin/catcerts.sh /etc/pki/tls/certs/test.pem /etc/ipa/ca.crt /etc/pki/tls/certs/whole.pem"
This is an example on an IPA-enrolled machine where the chain already exists in
/etc/ipa/ca.crt. If you need the chain as well you can add
-F /etc/pki/tls/certs/chain.pem and use that in the concatenation.