Issue: Unable to generate personal PEM, CHAIN, and CRT certificates from the domain controller. #1364
Description
Is there an existing issue for this?
- I have searched the existing issues and found none that matched mine
Describe the issue
Hello everyone,
I would appreciate your help/support with the following topic.
I work at a company (for simplicity, let’s call it BlackJack). We have domain controllers (BlackJack.com) and many different operating systems. Previously, on Ubuntu machines, we used Centrify to join computers to the domain, authenticate users, and generate CHAIN, KEY, and CERT certificates from the domain controllers. These certificates were used to establish VPN and Security connections. On each system, users logged in using their domain accounts.
In Active Directory, we have a prepared certificate template for Ubuntu users: BlackJackLinuxUserCert.
I would also like to note that we are using Ubuntu 22.04 and 24.04 LTS with the Ubuntu Pro subscription enabled.
Currently, I am working on migrating from Centrify to solutions that are purely Canonical-based. I have managed to develop a procedure that allows:
- joining a computer to the domain,
- authenticating users using domain credentials,
- obtaining a Kerberos ticket.
What I am missing:
I am unable to generate the certificates mentioned above.
I kindly ask for help in solving this problem. Unfortunately, the internet has not been helpful so far.
Steps to reproduce it
Installation and domain join procedure
Installing required packages
sudo apt-get -qq -y update
sudo apt-get -qq -y install
realmd sssd-ad sssd-tools adcli samba-common-bin
oddjob oddjob-mkhomedir packagekit ldap-utils
krb5-user adsys ubuntu-advantage-tools
certmonger ca-certificates
Joining the domain
sudo realm join "$HDOM1" -U $GLOBAL_NAMEA
First user authentication
sudo -u $GLOBAL_NAMEU -i bash -c 'whoami'
Preparing for certificate generation
Verifying domain access and Kerberos ticket
kinit jjarecki@dom.blackjack.com
klist
sudo sss_cache -E
sudo systemctl restart sssd
Certificate generation attempt
systemctl status certmonger
sudo getcert list-cas
At this point, I encounter a problem:
I do not have AD CS available, and as a result, further certificate-related commands cannot be executed.
Output of getcert list-cas
CA 'SelfSign':
is-default: no
ca-type: INTERNAL:SELF
next-serial-number: 01
CA 'IPA':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/lib/certmonger/ipa-submit
CA 'dogtag-ipa-renew-agent':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/lib/certmonger/dogtag-ipa-renew-agent-submit
CA 'local':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/lib/certmonger/local-submit
Expected next steps
getcert list-cas -v # verify CA/template names
mkdir -p ~/certs
chmod 700 ~/certs
getcert request
-c "CA_NAME"
-T "BlackJackLinuxUserCert"
-k ~/certs/user.key
-f ~/certs/user.crt
-C ~/certs/chain.pem
-U digitalSignature,keyEncipherment
-K jacek.jarecki@ad.blackjack.com
-i jjarecki
In an attempt to resolve the issue caused by the absence of AD CA, I tried to execute the following command:
sudo getcert add-ca
-c CORP-ISSUING-CA01
-t ms-cs
-u https://ca01.corp.example.com/certsrv/
-e
Unfortunately, Ubuntu is unable to execute this command because it does not recognize these attributes. There is no appropriate helper available.
Question
What is the correct approach to generating user certificates from Active Directory on Ubuntu without Centrify, using Canonical-supported tools?
- Is AD CS strictly required, or is there an alternative supported method?
- Can certmonger integrate directly with AD Certificate Services in this setup?
- What would be the recommended replacement for Centrify’s certificate enrollment functionality?
Any guidance, documentation, or working examples would be greatly appreciated.
Thank you in advance.
Ubuntu users: System information
No response
Non Ubuntu users: System information
Environment
- adsys version: please run
adsysctl version - Distribution: (NAME in
/etc/os-release) - Distribution version: (VERSION_ID on
/etc/os-release):
Log files
Please redact/remove sensitive information:
adsys service logs can be acquired by running `adsysctl service cat -v`.
You can increase the amount of information displayed by increasing the verbosity level (-v) to -vv or -vvv.
Application settings
Please redact/remove sensitive information:
Paste the contents of your adsys.yaml file here, if you created one.
Additional information
No response
Double check your logs
- I have redacted any sensitive information from the logs