Certificates Auto-Enrolment

Certificate Auto-Enrolment is a key component of Ubuntu’s Active Directory GPO support. This feature enables clients to seamlessly enrol for certificates from Active Directory Certificate Services.

This tutorial is designed to help you develop an understanding of how to efficiently implement and manage certificate auto-enrolment, ensuring your systems remain secure and compliant with organisational policies.

A video version of the tutorial is also available:

Demo video

What you need

  • A client machine running Ubuntu 23.04 LTS, Ubuntu 23.10 or Ubuntu 24.04 LTS

  • A VPN server that runs in the Azure cloud

  • An Ubuntu VM accessible in the VPN

What you will do

  • Configure and update the auto-enrolment policy

  • Connect to a VPN server using certificates

  • Access resources on the virtual network

Setup

You will need an installation of ADSys on your client Ubuntu Machine and the client should be joined to an Active Directory (AD) domain. Please refer to our how-to guides on setting up the Ubuntu client machine:

For the Windows Domain controller, refer to:

Configure the auto-enrolment policy

First the policy needs to be configured. This is done through the same entry policy as that which is used to configure Windows clients.

You can find the entry Certificate Services Client - Auto-Enrollment in the GPO tree:

Policies > Windows Settings > Security Settings > Public Key Policies

Open the entry and set the Configuration Model to Enabled. You should also toggle the option for updating certificates that use certificate templates.

Apply these changes and continue.

Update policies and query certificates

Now update the policies with ADSys:

sudo adsysctl update -m -v

Note

This command also typically runs on a fixed schedule and during system reboots.

ADSys downloads certificates from the domain controller. You can query information about the certificates with:

sudo getcert list

Note

The getcert list command is provided by the certmonger utility, which is being used to manage the lifecycle of the certificates, ensuring — for example — that they are automatically renewed.

The output of the above command should look something like this:

Number of certificates and requests being tracked: 2
Request ID 'galacticcafe-CA.Machine':
    status: MONITORING
    stuck: no
    key pair storage: type=FILE,location='/var/lib/adsys/private/certs/galacticcafe-CA.Machine.key'
    certificate: type=FILE,location='/var/lib/adsys/certs/galacticcafe-CA.Machine.crt'
    CA: galacticcafe-CA
    issuer: CN=galacticcafe-CA,DC=galacticcafe,DC=com
...
...
Request ID 'galacticcafe-CA.Workstation':
    status: MONITORING
    stuck: no
    key pair storage: type=FILE,location='/var/lib/adsys/private/certs/galacticcafe-CA.Workstation.key'
    certificate: type=FILE,location='/var/lib/adsys/certs/galacticcafe-CA.Workstation.crt'
    CA: galacticcafe-CA
    issuer: CN=galacticcafe-CA,DC=galacticcafe,DC=com
...
...

From this truncated output we can see that there are two certificates being monitored:

  • galactic-CA.Machine

  • galactic-CA.Workstation

These correspond to certificate templates that are configured on the certificate authority.

The paths to the private key and certificate are included in the getcert list output. Everything should now be in place for the use of corporate services like VPNs and WiFi.

Connect to VPN server using certificates

To check the VPN configuration run:

cat /etc/ppp/peers/azure-vpn

Output:

remotename: azure-vpn
linkname: azure-vpn
ipparamname: azure-vpn
...
...
name        keypress.galacticcafe.com
plugin      sstp-pppd-plugin.so
...
...
ca: /var/lib/adsys/certs/galacticcafe-CA.2.crt
cert: /var/lib/adsys/certs/galacticcafe-CA.Machine.crt
key: /var/lib/adsys/private/certs/galacticcafe-CA.Machine.crt
...
...

An SSTP VPN is being used for this tutorial, connecting to a gateway in the Azure cloud. The name specified is the FQDN of the machine that the certificates are generated for. Confirm that paths to the ca, cert and private key are all specified.

It should then be possible to connect to the VPN:

sudo pon azure-vpn

Establishing the connection may take a few seconds.

To check the connection run:

ip a

This should output a point-to-point connection:

...
...
8: ppp0: <POINTTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 pfifo_fast state unknown group default qlen 3
...
...

Accessing resources on a virtual network

The machine should now be connected to a virtual network with access to virtual resources.

For example, if an Ubuntu machine has no public IP but is set up in the same virtual network then it should be accessible:

ping <IPv4-address-of-resource>

It should be possible to ssh into a machine on the network:

ssh -i ~/.ssh/adsys-integration.pem root@<IPv4-address-of-resource>

For example, an instance of Ubuntu 24.04 LTS will give an output that shows it is running on Azure based on the kernel version:

Welcome to Ubuntu 24.04 LTS (GNU/Linux 6.5.0-1004-azure x86_64))