Certificate Enrollment

Overview

This document describes the certificate enrollment process for Linux workstations using AD CS (Active Directory Certificate Services) and the Linux-Workstation-Auth template.

The Linux-Workstation-Auth template requires specific configuration to work properly. If you encounter error 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE), see PKI Troubleshooting.

Working Examples

modestus-razer (Jan 28, 2026)

Enrolled with properly configured Linux-Workstation-Auth template.

Result: Certificate valid Jan 28 2026 - Jan 28 2028 (2 years)

modestus-p50 (Jan 14, 2026)

Initially enrolled with WebServer template due to template configuration issues.

Result: Certificate valid Jan 14 2026 - Jan 14 2028 (2 years)

Step 1: Generate Private Key and CSR

HOSTNAME=$(cat /etc/hostname)

# Generate private key (no password for wpa_supplicant)
sudo openssl genrsa -out /etc/ssl/private/$<your-hostname>-eaptls.key 2048

# Secure the key
sudo chmod 600 /etc/ssl/private/$<your-hostname>-eaptls.key
sudo chown root:root /etc/ssl/private/$<your-hostname>-eaptls.key

# Create CSR with proper subject
sudo openssl req -new \
    -key /etc/ssl/private/$<your-hostname>-eaptls.key \
    -out /tmp/$<your-hostname>-eaptls.csr \
    -subj "/O=Domus Digitalis/OU=Endpoints/CN=$<your-hostname>.inside.domusdigitalis.dev"

# Verify CSR
openssl req -in /tmp/$<your-hostname>-eaptls.csr -noout -text | head -20

Step 2: Submit CSR to AD CS

# Copy CSR to DC
scp /tmp/$<your-hostname>-eaptls.csr home-dc01:C:/Certs/

# Method 1: Direct SSH (may hang with heredoc)
# Recommended: SSH interactively to home-dc01 and run certreq directly
ssh home-dc01

# Then on home-dc01, run:
# del C:\Certs\modestus-razer-eaptls.rsp
# certreq -submit -config "HOME-DC01.inside.domusdigitalis.dev{ad-ca}" \
#   -attrib "CertificateTemplate:Linux-Workstation-Auth" \
#   "C:\Certs\modestus-razer-eaptls.csr" "C:\Certs\modestus-razer-eaptls.cer"

# Method 2: One-line command (may work depending on SSH configuration)
ssh home-dc01 "del C:\\Certs\\$<your-hostname>-eaptls.rsp & certreq -submit -config \"HOME-DC01.inside.domusdigitalis.dev\{ad-ca}\" -attrib \"CertificateTemplate:Linux-Workstation-Auth\" \"C:\\Certs\\$<your-hostname>-eaptls.csr\" \"C:\\Certs\\$<your-hostname>-eaptls.cer\""

# Retrieve signed certificate
scp home-dc01:C:/Certs/$<your-hostname>-eaptls.cer ~/

If SSH heredoc hangs, SSH directly to home-dc01 and run certreq interactively. The certreq command sometimes requires interactive terminal access.

Expected output:

RequestId: 77
RequestId: "77"
Certificate retrieved(Issued) Issued

Step 3: Install Certificate

HOSTNAME=$(cat /etc/hostname)

# Convert DER to PEM (if needed) and install
sudo openssl x509 -inform DER -in ~/$<your-hostname>-eaptls.cer \
    -out /etc/ssl/certs/$<your-hostname>-eaptls.pem 2>/dev/null \
    || sudo cp ~/$<your-hostname>-eaptls.cer /etc/ssl/certs/$<your-hostname>-eaptls.pem

# Fix permissions
sudo chmod 644 /etc/ssl/certs/$<your-hostname>-eaptls.pem

# Verify certificate
openssl x509 -in /etc/ssl/certs/$<your-hostname>-eaptls.pem -noout -subject -issuer -dates

# Verify chain against ROOT CA
openssl verify -CAfile /etc/ssl/certs/HOME-ROOT-CA.pem \
    /etc/ssl/certs/$<your-hostname>-eaptls.pem

# Verify EKU includes Client Authentication (CRITICAL)
openssl x509 -in /etc/ssl/certs/$<your-hostname>-eaptls.pem -noout -text | grep -A1 "Extended Key Usage"

Expected output:

subject=CN=modestus-razer.{domain}
issuer=DC=dev, DC=domusdigitalis, DC=inside, CN=HOME-ROOT-CA
notBefore=Jan 28 04:16:10 2026 GMT
notAfter=Jan 28 04:16:10 2028 GMT

            X509v3 Extended Key Usage:
                TLS Web Client Authentication

{cert-dir}/modestus-razer-eaptls.pem: OK

The certificate MUST have "TLS Web Client Authentication" EKU. Without it, ISE silently rejects the certificate during 802.1X authentication.

Certificate Paths

For all workstations, certificates follow this naming pattern:

File Location Permissions

Private Key

/etc/ssl/private/<hostname>-eaptls.key

600 (root:root)

Certificate

/etc/ssl/certs/<hostname>-eaptls.pem

644 (root:root)

CA Certificate

/etc/ssl/certs/HOME-ROOT-CA.pem

644

Examples

modestus-razer:

{key-dir}/modestus-razer-eaptls.key  (1704 bytes)
{cert-dir}/modestus-razer-eaptls.pem    (2350 bytes)
{cert-dir}/{ca-cert}             (2050 bytes)

modestus-p50:

{key-dir}/modestus-p50-eaptls.key    (1704 bytes)
{cert-dir}/modestus-p50-eaptls.pem      (2462 bytes)
{cert-dir}/{ca-cert}             (2050 bytes)

Verification Commands

HOSTNAME=$(cat /etc/hostname)

# Check certificate expiration
openssl x509 -in /etc/ssl/certs/$<your-hostname>-eaptls.pem -noout -dates

# Check certificate subject (should match hostname.inside.domusdigitalis.dev)
openssl x509 -in /etc/ssl/certs/$<your-hostname>-eaptls.pem -noout -subject

# Check certificate chain
openssl verify -CAfile /etc/ssl/certs/HOME-ROOT-CA.pem \
    /etc/ssl/certs/$<your-hostname>-eaptls.pem

# Check certificate EKU (MUST include Client Authentication)
openssl x509 -in /etc/ssl/certs/$<your-hostname>-eaptls.pem -noout -text | grep -A2 "Extended Key Usage"

# Check template used (for troubleshooting)
openssl x509 -in /etc/ssl/certs/$<your-hostname>-eaptls.pem -noout -text | grep -i "template"

Complete End-to-End Script

For convenience, here’s a complete script that performs all steps:

#!/bin/bash
# enroll-certificate.sh
# Complete certificate enrollment workflow

set -euo pipefail

HOSTNAME=$(cat /etc/hostname)

echo "=== Certificate Enrollment for $<your-hostname> ==="

# Step 1: Generate private key and CSR
echo "Step 1: Generating private key and CSR..."
sudo openssl genrsa -out /etc/ssl/private/$<your-hostname>-eaptls.key 2048
sudo chmod 600 /etc/ssl/private/$<your-hostname>-eaptls.key
sudo chown root:root /etc/ssl/private/$<your-hostname>-eaptls.key

sudo openssl req -new \
    -key /etc/ssl/private/$<your-hostname>-eaptls.key \
    -out /home/$<your-username>/$<your-hostname>-eaptls.csr \
    -subj "/O=Domus Digitalis/OU=Endpoints/CN=$<your-hostname>.inside.domusdigitalis.dev"

echo "  ✓ CSR generated"

# Step 2: Submit to AD CS
echo "Step 2: Copying CSR to home-dc01..."
scp /home/$<your-username>/$<your-hostname>-eaptls.csr home-dc01:C:/Certs/

echo "Step 3: Submitting to AD CS..."
echo "  NOTE: You may need to run this interactively on home-dc01"
echo "  SSH to home-dc01 and run:"
echo "  certreq -submit -config \"HOME-DC01.inside.domusdigitalis.dev\{ad-ca}\" \\"
echo "    -attrib \"CertificateTemplate:Linux-Workstation-Auth\" \\"
echo "    \"C:\\Certs\\$<your-hostname>-eaptls.csr\" \"C:\\Certs\\$<your-hostname>-eaptls.cer\""
echo ""
read -p "Press Enter after certificate is issued..."

# Step 3: Retrieve and install
echo "Step 4: Retrieving certificate..."
scp home-dc01:C:/Certs/$<your-hostname>-eaptls.cer ~/

echo "Step 5: Installing certificate..."
sudo openssl x509 -inform DER -in ~/$<your-hostname>-eaptls.cer \
    -out /etc/ssl/certs/$<your-hostname>-eaptls.pem 2>/dev/null \
    || sudo cp ~/$<your-hostname>-eaptls.cer /etc/ssl/certs/$<your-hostname>-eaptls.pem

sudo chmod 644 /etc/ssl/certs/$<your-hostname>-eaptls.pem

# Verification
echo ""
echo "=== Verification ==="
openssl x509 -in /etc/ssl/certs/$<your-hostname>-eaptls.pem -noout -subject -issuer -dates
echo ""
openssl x509 -in /etc/ssl/certs/$<your-hostname>-eaptls.pem -noout -text | grep -A1 "Extended Key Usage"
echo ""
openssl verify -CAfile /etc/ssl/certs/HOME-ROOT-CA.pem /etc/ssl/certs/$<your-hostname>-eaptls.pem

echo ""
echo "=== Certificate Enrollment Complete ==="

Troubleshooting

If you encounter error 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE), see:

See Also