Overview

The locallinux-create-network-cert CLI tool generates host-level certificates for department-managed Linux workstations to connect to UMD's policy-driven network (802.1X authentication). This tool is specifically for Linux hosts that are owned by the University but managed by departmental system administrators rather than DIT.

Prerequisites

Requesting Permission

Before using this tool, you must request permission to generate certificates for your department's hosts:

1. Send email to: request@umd.edu
2. Subject: Request for Linux Network Certificate Generation Access
3. Include the following information:
   • Your full name
   • Your Directory ID
   • Desired hostname pattern (e.g., *.mydepartment.umd.edu)
   • Department name for network policy (e.g., MyDepartment)

The email will create a ticket with your request for the Linux team to configure the appropriate permissions for your glue user to generate certificates for your specified hostname pattern.

System Requirements

• Access to glue.umd.edu for running the adm command
• UMD Directory credentials
• Permission to generate certificates for the target hostname pattern

Usage

Basic Syntax

adm locallinux-create-network-cert -hostname <hostname.subdomain.umd.edu> -department <Department>

Parameters

• -hostname: The fully qualified domain name of the Linux host (must end with yoursubdomain.umd.edu)
• -department: The department/group identifier for network policy access

Example Usage

# Generate certificate for a specific host

adm locallinux-create-network-cert -hostname "myserver.mydept.umd.edu" -department "MyDept"

Step-by-Step Process

Step 1: Connect to Glue Server

First, ensure you are connected to VPN. Then:

ssh your-username@glue.umd.edu

Authenticate with your username and password.

Step 2: Generate Certificate

Run the certificate generation command and save the output to a file.

# Generate and save certificates

adm locallinux-create-network-cert \

    -hostname "myhost.mydept.umd.edu" \

    -department "MyDept" > combined_cert.pem

Step 3: Split the Certificate and Private Key

The tool outputs both the certificate and private key in a single stream. You'll need to separate them:

# Extract the certificate

sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' combined_cert.pem > host_cert.pem

 

# Extract the private key

sed -n '/-----BEGIN PRIVATE KEY-----/,/-----END PRIVATE KEY-----/p' combined_cert.pem > host_key.pem

 

# Secure the private key

chmod 600 host_key.pem

Step 4: Transfer Files to Target Host and Configure Network Authentication

See KB0020362 for instructions on uploading the certificate and private key to the host and configuring the network connection profiles on both RHEL and Ubuntu distributions.

Output Format

The tool returns both certificate and private key via STDOUT in PEM format:

 

-----BEGIN CERTIFICATE-----

MIIFxjCCA66gAwIBAgITaP...

[certificate data]

...xmKj5L6Gw==

-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----

MIIEvgIBADANBgkqhkiG9w...

[private key data]

...XYZ123==

-----END PRIVATE KEY-----

 

Security Considerations

Certificate Management

• Private Key Protection: Always set restrictive permissions (600) on private key files
• Certificate Lifetime: Certificates are valid for 5 years (renewal required before expiration)
• Host-Specific: Each certificate is tied to a specific hostname and department

Access Control

• Hostname Restrictions: You can only generate certificates for hostnames within your authorized pattern
• Department Validation: The department parameter must match your approved department group
• Authentication Required: Valid Kerberos ticket required for each certificate request

Troubleshooting

Permission Denied Errors

If you receive permission denied errors:

1. Verify permissions: Confirm your access request was approved and processed
2. Check hostname pattern: Ensure the hostname matches your authorized pattern
3. Validate department: Confirm the department parameter is correct

Network Configuration Issues

For problems with network connectivity after certificate installation:

1. Verify certificate installation: Check that files are in correct locations with proper permissions
2. Check network configuration: Ensure 802.1X/EAP-TLS is properly configured
3. Test connectivity: Use network diagnostic tools to verify certificate authentication

Getting Help

For issues with the certificate generation tool or network configuration:

• Email: request@umd.edu (include your Directory ID and detailed error description)
• Include: Hostname, department, error messages, and steps already attempted

Related Information

Policy-Driven Network

This certificate system is part of UMD's Campus Network Refresh initiative. The certificates enable:

• Device Authentication: Identifies the host as university-owned and departmentally-managed
• Policy Enforcement: Provides appropriate network access based on department affiliation
• Enhanced Security: Replaces password-based authentication with certificate-based authentication