KNOWLEDGE BRIEF - How to download certificates from Microsoft CA on RHEL servers

This is sent in hope it might help someone who has (or will have) similar problem in the future.

There are times when certificates from Microsoft CA are needed on RHEL servers.

I have seen users struggling to automate this process through simple tools.

Here is one method.

a) To download RBA Intermediate and Root Organisation Certification Authority Certificate (OCA), use this command:

# openssl s_client -showcerts -verify 5 -connect microsoft-CA-srv:443 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".pem"; print >out}'; for cert in *.pem; do newname=$(openssl x509 -noout -subject -in $cert | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem; echo "${newname}"; mv "${cert}" "${newname}"; done

This command is courtesy of post in another forum in :

https://unix.stackexchange.com/questions/368123/how-to-extract-the-root-ca-and-subordinate-ca-from-a-certificate-chain-in-linux

It downloads two certificates:

InternalCA-OCA
InternalCA-Intermediate-cert

b) To download Root Certificate, different commands are needed.

Firstly, find the name of Root Certificate:

# keytool -printcert -sslserver microsoft-CA-srv:443

Let's assume its name is "InternalCA-RootCA-cert.crt".

Secondly, download it:

# curl -s https://microsoft-CA-srv/CertEnroll/"InternalCA-RootCA-cert.crt" | openssl x509 -inform der > InternalCA-RootCA-cert.pem

Best wishes,

Dusan Baljevic (amateur radio VK2COT)