Problem:

The logrotate process caused high CPU utilization, ran for about 5-6 hours and finally exited with a non-zero (failure) exit code.

Background & Analysis:

Observed this problem on one of our RHEL 3 hosts. A new daily job was added and this job specified log rotation for all files in a directory (rather than a file or specific patterns to match files) and used the compress option. Consequently, logrotate compressed files that were already compressed and so on and files in the directory started having very long filenames (e.g. test.dmp.gz.gz.1.gz.1.gz…) and a huge number of files were present in the directory, making logrotate’s job more and more difficult, thereby causing logrotate to consume high CPU (system cpu utilization %) and take longer to complete. Also, logrotate’s state file (/var/lib/logrotate.status) ended up being about 58 MB.

Solution:

• Modify the daily job to rotate only files matching a specific pattern (in my case, I removed the daily job as it was redundant. The files were created with timestamp prefixes and so rotation wasn’t required).
• Remove logrotate’s state file (/var/lib/logrotate.status). When done, logrotate will generate a new state file.

NOTE: The removal of logrotate’s state file is akin to running logrotate for the first time. So, you can modify the dates in the state file to reflect the previous day or the previous week before running a daily or weekly job to ensure logrotate rotates the files on its first run. ALternatively, use the logrotate –f option.

Root Cause:

Improper configuration of logrotate for a daily job.

(1) The solution above describes a successful problem-solving experience and may not be applicable to other problems with similar symptoms.

(2) Your rating of this post will be much appreciated as it gives me and others who read this article, an indication of whether this solution has worked for people other than me. Also, feel free to leave comments.

Problem:

When trying to connect to a server via SSH, the authentication is slow (takes a few seconds), but the server seems normally responsive after authentication.

Background & Analysis:

I’ve experienced this problem when trying to connect to Linux hosts using SSH. Som of my Linux hosts use OpenSSH and some use Reflection for Secure IT Server.

When authenticating via SSH, the SSH server will perform a reverse domain lookup of the client’s IP address and this delays the authentication process.

SSH servers have options in their configurations to disable the reverse domain lookup of clients’ IP addresses.

Solution:

Disable reverse domain lookup of the client’s IP address in the SSH Server Configuration. Given below are examples of how this is done in two SSH servers:

OpenSSH: Edit /etc/ssh/sshd_config (or wherever your config file is) and set

UseDNS=no

RSIT: Edit /etc/ssh2/sshd2_config and set

ResolveClientHostname=no

Root Cause:

Slow Reverse Domain Lookup of clients’ IP addresses.

(1) The solution above describes a successful problem-solving experience and may not be applicable to other problems with similar symptoms.

(2) Your rating of this post will be much appreciated as it gives me and others who read this article, an indication of whether this solution has worked for people other than me. Also, feel free to leave comments.

In trying to make my team aware of what’s in our team’s wiki (based on Mediawiki), I wanted a simple notification to go out to the team daily listing the new wiki pages created on the previous day. This may be achieved with a simple shell script that queries the Mediawiki recentchanges table.

STEP 1: Deploy Shell Script

The following script queries the recentchanges table and fetches data for pages created (rc_type = 1) the previous day in the Main namespace (rc_namespace = 0).

#!/bin/bash
# Author         :       Cybergavin (http://www.cybergav.in)
# Date Created   :       31st March 2012
# Description    :       This simple script queries the Wiki database and sends a notification to specific users regarding page creation. Reminds users about the existence of the wiki and what's in there.
#####################################################################################
#
# Variables
#
EMAIL_RECIPIENTS="wikiusers@abc.com"
REPORT_DATE=$(date '+%Y%m%d' --date="yesterday")
REPORT_DATE_FORMAIL=$(date '+%d-%b-%Y' --date="yesterday")
WIKI_BASEURL="http://wiki.abc.com/wiki/index.php/"
#
# Functions
#
getDBdata()
{
mysql -u wiki -p'xxxxx' --skip-column-names wiki <<EOSQL
connect wiki;
select rc_title, rc_user_text from recentchanges
where rc_timestamp like '$REPORT_DATE%'
and rc_type = 1
and rc_namespace=0;
quit
EOSQL
}
#
# Main
#
mail -s "Tech Ops Wiki : New Page Notification For $REPORT_DATE_FORMAIL" $EMAIL_RECIPIENTS <<EOMAIL
Hi

Given below are Pages created on the ABC Wiki ( http://wiki.abc.com ) yesterday ($REPORT_DATE_FORMAIL) along with their authors:

`getDBdata | awk -v a="$WIKI_BASEURL" '{printf "%-70s %s %s\n", a$1,"-", $2}'`

EOMAIL
#
##################################### T H E     E N D ###############################

NOTE:
(1) You must change certain variables and the body of the email as per your requirements.
(2) If your wiki isn’t updated with new pages very often, you may send this notification weekly. To do so, simply replace “yesterday” by “last week” on lines 11 and 12 and replace “where rc_timestamp like ‘$REPORT_DATE%’” by “where rc_timestamp > $REPORT_DATE0000″

STEP 2: Cron the Shell Script

Set up a cron job to send a daily notification. The example below executes the script daily at 9 AM.

0 9 * * * /opt/support/wikiPCnotify.sh > /opt/support/wikiPCnotify.out 2> /opt/support/wikiPCnotify.err

Problem:

On SLES 11 SP 1, while trying to add users with the useradd command, the following is displayed:

useradd: Unknown group `video’.
useradd: Unknown group `dialout’.

Background & Analysis:

The “video” and “dialout” groups are default groups in SLES. This is configured in /etc/default/useradd.

These groups were removed from /etc/group using the groupadd command although the useradd command uses them as default groups.

Solution:

STEP 1: Modify /etc/default/useradd

Edit /etc/default/useradd and remove video and dialout from the GROUPS directive. After doing so, my /etc/default/useradd looks like this (I have removed the GROUPS directive as I do not want default groups):

GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

There are PHP applications which use MSSQL as the back-end database and such applications require FreeTDS to enable PHP code interface with MSSQL. This article describes how to install PHP and FreeTDS on Linux hosts.

To compile or not?: Typically, it is recommended to use package managers like yum to install software on Linux platforms. Using package managers facilitates installation and administration (e.g. updates) of the software. However, when the software requires special options to be set or modules/extensions to be enabled, it may be difficult to obtain software built to suit those requirements. In such cases, it will be required to compile the software from its source. If compiling, then it will be prudent to organize all compiled software in standard locations on the host.

Given below are the implementation steps that were used for installing PHP 5.3.3 and FreeTDS 0.91 on RHEL 6.2.

NOTE: All commands in the examples below must be executed with root privileges, unless otherwise stated.

STEP 1: Create Installation Directory Structure

• Use the following commands to create an appropriate directory structure for compiled software:

mkdir /opt/src

• Use a standard location (e.g. /opt) to install all software compiled from source to facilitate administration (re-compilation, removal, etc.)

STEP 2: Download and Unpack Software Source

• Download software sources (typically *.tar.gz files) and place them in /opt/src
• Unpack source software (*.tar.gz) as per the following examples:

tar xfz php-5.3.3.tar.gz
tar xfz freetds-0.91.tar.gz

The above commands will create directories /opt/src/php-5.3.3 and /opt/src/freetds-0.91

STEP 3: Compile and Build FreeTDS

Compile and build FreeTDS as per the example below:

cd /opt/src/freetds-0.91
./configure --prefix=/opt/freetds-0.91
make
make install

NOTE: In order to facilitate administration, you may create a soft link as follows:

cd /opt
ln -s freetds-0.91 freetds

STEP 4: Compile and Build PHP

Compile and build PHP as per the example below:

cd /opt/src/php-5.3.3
./configure --prefix=/opt/php-5.3.3 --with-config-file-path=/opt/php-5.3.3
make
make install

NOTE: In order to facilitate administration, you may create a soft link as follows:

cd /opt
ln -s php-5.3.3 php

STEP 5: Compile and Build the PHP Sybase Extension

PHP requires the sybase_ct extension to allow PHP code to interface with MSSQL. You may compile and build the sybase_ct extension as follows:

cd /opt/src/php-5.3.3/ext/sybase_ct
sh ../../scripts/phpize
./configure --prefix=/opt/php --with-php-config=/opt/php/bin/php-config --with-sybase-ct=/opt/freetds
make
make install

STEP 6: Enable the PHP Sybase Extension

Enable the sybase_ct extension by adding the following line to /opt/php/php.ini

extension=sybase_ct.so

STEP 7: Verify the PHP (with FreeTDS) Installation

If PHP and the sybase_ct extension have been successfully installed, you should be able to view the sybase_ct module when displaying the PHP configuration information as shown below:

Execute the following command (any user):

php -i | grep sybase_ct

If you see "sybase_ct" in the output, then it means that PHP and the sybase_ct extension have been successfully installed.

NOTE: Since PHP and FreeTDS have been compiled from source and installed in non-standard locations, you must add /opt/php/bin:/opt/freetds/bin to a user’s PATH environment variable.

Problem:

The osad service does not start (RHEL 5.7) and throws the following error:

Starting osad: Unable to load module osad

Background & Analysis:

The osad service is required on all Red Hat Network Satellite clients to receive pushed actions from the RHN Satellite Server. For more details on the osad and related services, please refer this Spacewalk (open-source version of RHN Satellite) article.

Solution:

The osad service depends on the python-hashlibs package.

STEP 1: Install python-hashlibs

Install python-hashlibs as follows:

sudo rpm -ivh <package>

where <package>= the name of the python-hashlibs rpm

Refer the screenshot below:

NOTE: You may also use a "yum install" if python-haslibs is available in any of your your yum repositories.

(1) The solution above describes a successful problem-solving experience and may not be applicable to other problems with similar symptoms.

(2) Your rating of this post will be much appreciated as it gives me and others who read this article, an indication of whether this solution has worked for people other than me. Also, feel free to leave comments.

Installing software on RHEL platforms using yum is straightforward. However, based on your environment, there could be a few more steps to get there. So, here’s what I did to install Tomcat 6 on RHEL 6.2:

Environment:

OS: Red Hat Enterprise Linux Server release 6.2 (Santiago)

Yum Repos: Red Hat Enterprise Linux Server (v. 6 for 64-bit x86_64), RHN Tools for RHEL (v. 6 for 64-bit x86_64)

Implementation:

STEP 1: Install the Tomcat6 Web Servlet container

sudo yum groupinstall web-servlet

STEP 2: Enable the Tomcat6 service

sudo chkconfig tomcat6 on

STEP 3: Change ownership for the Tomcat6 resources

When tomcat6 is installed via STEP 1, a user and group with the same name (tomcat) is created. For security, the user is created without an interactive login shell (/sbin/nologin). So, in order to ensure that the application support individuals don’t require root privileges, you must do the following:

sudo chown -R tomcat:tomcat /usr/share/tomcat6
sudo chown -R tomcat:tomcat /etc/tomcat6/*

NOTE: By default, the tomcat user is created with umask 022 and so individual accounts will require sudo privileges to modify the resources owned by tomcat. This also ensures that all operations on tomcat resources are audited.

STEP 4: Test the Tomcat6 service

After doing STEPS 1-3, I started/stopped tomcat6 using the following commands:

sudo service tomcat6 start
sudo service tomcat6 stop

Tomcat6 started and stopped successfully (and http://localhost:8080 was accessible), but the following two messages in catalina.out bugged me:

INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib

SEVERE: destroyMBeans: Throwable javax.management.MalformedObjectNameException: Cannot create object name for org.apache.catalina.connector.Connector@290fd7f6 at org.apache.catalina.mbeans.MBeanUtils.createObjectName(MBeanUtils.java:764) at org.apache.catalina.mbeans.MBeanUtils.destroyMBean(MBeanUtils.java:1416)

.

The first INFO message was logged whenever tomcat6 was started and the SEVERE message was logged whenever tomcat6 was stopped.

Getting rid of the INFO message requires installing the Tomcat Native Library (see STEP 5) and it’s recommended that you do this for optimal performance (native code faster than Java bytecode).

Regarding the SEVERE message, it seems to have been fixed in Tomcat 6.0.25 ( refer Tomcat6 Bug ) and the version I installed using the above steps was 6.0.24. As this error is harmless, I’d wait for 6.0.25.

STEP 5: Install the Tomcat Native Library

Unfortunately, the standard RHEL yum repos used in our company (see Environment above) did not contain packages for the Tomcat Native Library. So, here’s what I did to install the library:

• Install the pre-requisite packages

sudo yum install apr apr-devel java-1.6.0-openjdk-devel.x86_64 openssl-devel.x86_64

NOTE: I required only the above packages, but your requirement may vary based on your existing OS installation.

• Download the tomcat native library from here
• Execute the following commands:

# Extract downloaded tar
tar xvzf tomcat-native-1.1.22-src.tar.gz

# Configure
cd tomcat-native-1.1.22-src/jni/native
sudo ./configure \
--with-apr=/usr/bin/apr-1-config \
--with-java-home=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64 \
--with-ssl=/usr/include/openssl \
--prefix=/usr/lib64

# Make
sudo make

#Make Install
sudo make install

# The steps above installed the library in /usr/lib64/lib. As the default LD_LIBRARY_PATH
#includes /usr/lib64, you may either change the path or set up links as shown below:

cd /usr/lib64
sudo ln -s lib/libtcnative-1.so.0.1.22 libtcnative-1.so
sudo ln -s lib/libtcnative-1.so.0.1.22 libtcnative-1.so.0

Successful installation of the Tomcat Native library will show something similar to the following in catalina.out when you start the tomcat6 service:

INFO: Loaded APR based Apache Tomcat Native library 1.1.22.

I observed that the Tomcat Native Library made quite an improvement to the tomcat6 server start time. Prior to installation, tomcat 6 started in about 144ms and after installation, it took only around 77ms!

Red Hat Enterprise Linux (RHEL) cluster configuration file is /etc/cluster/cluster.conf

NOTE: Red Hat discourages direct editing of the cluster configuration file and recommends using the system-config-cluster GUI.

However, if you need to edit the file, here’s a method that works:

STEP 1: Edit the  Cluster Configuration file on any one node in the cluster

• Open /etc/cluster/cluster.conf using your favourite editor amd make your required changes.
• Ensure that you increment the config_version (in line 2) by 1. For example, if the config_version is 45, then make it 46.
• Save and close the file

STEP 2: Update the cluster

Execute the following command (with root privileges) on the same node used in STEP 1:

ccs_tool update /etc/cluster/cluster.conf

The above command will display output similar to the following:

Config file updated from version 45 to 46

Update complete.

At times, to meet performance requirements, you would want to disable file system journaling. Given below are steps to do so for an ext4 file system (e.g. /dev/sda1). These steps have been tested on RHEL 5.7). All commands are to be executed with root privileges:

STEP 1: Unmount the file system partition whose journaling you wish to disable

Use the following command to unmount the partition on /dev/sda1 (let’s say it’s /opt):

umount /opt

NOTE: The command used above is umount and not unmount.

STEP 2: Disable journaling for the file system

Use the following command to disable journaling for an ext4 file system:

tune4fs -O ^has_journal /dev/sda1

STEP 3: Perform a file system check

Use the following command to perform a file system check. This is not strictly required, but is recommended for checking file system integrity after disabling journaling:

e4fsck –f /dev/sda1

STEP 4: Reboot

You may use the following command to reboot the Linux OS:

shutdown –r now

STEP 5: Verify that the file system has journaling disabled and the partition is mounted

After the host has rebooted, you may use the following commands to check if journaling is disabled for the filesystem and the partition is mounted:

dmesg | grep EXT4

Expected output similar to: EXT4-fs (dm-3): mounted filesystem without journal

df -h

In order to re-enable journaling, repeat all the STEPS above, but without the ‘^’ in STEP 2.

Pluggable Authentication Modules (PAM) is a framework used for authentication. Typically, most Linux distros come with PAM installed by default. PAM can be powerful if used well and it’s important to understand how PAM works. PAM has its criticisms, but is quite adequate for most purposes.

Refer this LINUX FORMAT article for a good introduction to PAM.

For easy reference, I’ve stitched together an image of important PAM concepts (shown below) taken from the LINUX FORMAT article.

                 First published in

Problem:

When changes are made to /etc/security/limits.conf to apply limits for resources (e.g. file descriptors, processes), the changes are not visible in my Shell (SSH Session). However, when using programs such as su, the changes are visible.

Background:

/etc/security/limits.conf is the configuration file for the pam_limits PAM module. By default, the pam_limits module is used in ssh policies in /etc/pam.d. However, the SSH server must be configured to use PAM.

Solution:

• Make your SSH server PAM-aware by setting one or both of the following in the SSH configuration file:

UsePamSessions=yes

      or

UsePAM=yes

• Restart the SSH server

Root Cause:

The SSH server was not configured to use PAM.

NOTE:

(1) The solution above describes a successful problem-solving experience and may not be applicable to other problems with similar symptoms.

(2) Your rating of this post will be much appreciated. Also, feel free to leave comments.

Problem:

• Cannot connect to a MySQL database on a remote host (port 3306)
• Firewalls aren’t blocking traffic and network connectivity is available.
• The MySQL database is up and running on the remote host and can be accessed when connecting from to it on the remote host (as localhost)

Background:

Access to a MySQL database may be restricted and this restriction may be configured in the configuration file my.cf A directive such as bind-address=127.0.0.1 will ensure that the MySQL database can be accessed only from localhost.

Solution:

1. Edit the configuration file my.cf and ensure that the following is set:
   bind-address=<external-ip of remote host>
2. Restart MySQL

Root Cause:

Connectivity to the MySQL database was restricted in the my.cf configuration file with the bind-address directive.

NOTE:
(1) The solution above describes a successful problem-solving experience and may not be applicable to other problems with similar symptoms.
(2) Your rating of this post will be much appreciated. Also, feel free to leave comments.

Typically, building a LAMP system on RHEL may be performed by yum installs. However, I wanted specific options built-in for my AMP and I wanted to locate the software in specific locations. hence, I opted to compile from source. It ain’t scary, but took me a few iterations to get stuff sorted out and this article describes what I did:

My LAMP System:

• L – RHEL 5.7 (kernel 2.6.18-274.3.1.el5)
• A – Apache 2.2.20
• M – MySQL 5.5.15
• P – PHP 5.3.8

STEP 1: Install Apache HTTP

Pre-requisites:

• Create a user for Apache. This user will be used to launch the httpd child processes (assuming that the root user will launch the parent process to listen at port 80 (or any port < 1024). I created a user called apache as shown below (command executed as the root user):

  useradd -c "Apache HTTP" -s /bin/bash -m apache

• Select a location to install apache and ensure that the user created in the above step has appropriate privileges. I executed the following commands as the root user:

  mkdir /opt/apache-2.2.20
  chown -R apache:apache /opt/apache-2.2.20

Installation:

As the apache user, I executed the following:

tar -xvzf httpd-2.2.20.tar.gz
cd httpd-2.2.20
./configure --prefix=/opt/apache-2.2.20 --enable-so

STEP 2: Install MySQL

Pre-requisites:

• Create a user for MySQL. This user will be used to launch the mysqld process. I created a user called mysql as shown below (command executed as the root user):

  useradd -c "MySQL Admin" -s /bin/bash -m mysql

• Select a location to install mysql and ensure that the user created in the above step has appropriate privileges. I executed the following commands as the root user:

  mkdir /opt/mysql-5.5.15
  chown -R mysql:mysql /opt/mysql-5.5.15

• You may have to install some packages to build MySQL. I installed packages as per the following command (executed as the root user):

  yum install gcc gcc-c++.x86_64 cmake ncurses-devel libxml2-devel.x86_64

Installation:

As the mysql user, I executed the following:

tar -xvzf mysql-5.5.15.tar.gz
cd mysql-5.5.15
cmake . -DCMAKE_INSTALL_PREFIX=/opt/mysql-5.5.15 -DSYSCONFDIR=/opt/mysql-5.5.15
make
make install

STEP 3: Install PHP

Pre-requisites:

• Select a location to install php and ensure that the appropriate user (web server user e.g. apache) created in the above step has appropriate privileges. I executed the following commands as the root user:

  mkdir /opt/php-5.3.8
  chown -R apache:apache /opt/php-5.3.8

• As I needed a few packages for the phpMyAdmin application and other bespoke PHP applications, I did the following (use a combination of yum and rpm as I did not find all packages in my yum repositories):

  # As root user
  rpm -ivh libmcrypt-2.5.7-1.2.el5.rf.x86_64.rpm
  rpm -ivh libmcrypt-devel-2.5.7-1.2.el5.rf.x86_64.rpm
  rpm -ivh mhash-0.9.9-1.el5.rf.x86_64.rpm
  yum install php53-mbstring.x86_64 bzip2 bz2 libbz2 libbz2-dev autoconf
  tar -xvzf mcrypt-2.6.8.tar.gz
  cd mcrypt-2.6.8
  ./configure --disable-posix-threads --prefix=/opt/mcrypt

Installation:

As the apache user, I executed the following:

tar -xvzf php-5.3.8.tar.gz
cd php-5.3.8
./configure --prefix=/opt/php-5.3.8 --with-apxs2=/opt/apache-2.2.20/bin/apxs --with-config-file-path=/opt/php-5.3.8 --with-mysql=/opt/mysql-5.5.15 --with-bz2 --with-zlib --enable-zip --enable-mbstring --with-mcrypt

• A CSR or Certificate Signing Request is an encrypted block of text that is used to request a digital certificate from a Certificate Authority (CA).
• A CSR must be created on the server which will host the digital certificate.
• A key pair (public/private keys) must be created before or during the creation of a CSR.
• A CSR will contain the public key and other information provided for the certificate (Organization Name, Department Name, etc).
• As a key pair is used in the creation of a CSR, the digital certificate provided by a CA upon receipt of your CSR must be used along with the private key used in the creation of the CSR. If the private key is lost, then the digital certificate will be useless.

Example CSR (base-64 PEM format):

-----BEGIN CERTIFICATE REQUEST-----
MIICwDCCAagCAQAwezELMAkGA1UEBhMCQ0DAYDVQQLFAVUSSZTUzEZMBcGA1
DggEPADCCAQoCggEBAPBz3Nl03nLAj766mJ1+OUjVTX9Sczeaau1s6Cdd2Wd
saddad342sdad32dBAPBz3Nl03nLAj766mJ1+OUjVTX9SczeS7u1s6CtHrmw
DggEPADCCAQoCggEBAPBz3Nl0asd21ddadsadOUjVTX9Scz4SD2d2ddadad1
DggEPADCCAQoCggEBAPBz3Nl03nLAj766mJ1+OUjVTX9Sczeau1s6CtUJ2kd
DggEPADCCAQoCggEBAPBz3Nl03nLAj766mJ1+OUjVTX9Sc527FGTDS72kkkd
-----END CERTIFICATE REQUEST-----

Given below are three methods to generate a CSR using openssl:

METHOD 1: Create a CSR and a new private key

Assuming you start from scratch, use the following command to create a CSR and a private key:

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

Refer the example in the screenshot below:

METHOD 2: Create a CSR for an existing private key

If you wish to use an existing private key, use the following command to create a CSR with it:

openssl req -out CSR.csr -key privateKey.key -new

Refer the example in the screenshot below:

METHOD 3: Create a CSR for certificate renewal (using an existing certificate and an existing private key)

If you wish to create a CSR for certificate renewal and want to avoid re-entering certificate details, use the following command:

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key

Refer the example in the screenshot below:

NOTE: The CSR file created using METHOD 3 will contain certificate and certificate request details. In this case, you must extract only the certificate request (text from and including —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– and submit the extract to your CA.

Recently, all Windows XP workstation users within a corporate domain were required to request and install a certificate from the Enterprise Certificate Authority (CA). Typically, the Certificate Manager Management console Snap-in Control (certmgr.msc) is used to request new certificates, as in the screenshot shown below. So, I was required to automate this process using a script that could be pushed to all the Windows XP workstations and executed.

A tool called certreq.exe enables command-line execution of the steps performed by certmgr.msc. Hence, I developed a simple MS-DOS batch script using certreq.exe to automate the process of requesting new certificates from a CA. You may download the ZIP file below to view/use the script:

Download RequestCert.zip

Instructions to use RequestCert.zip:

(1)   Unzip RequestCert.zip using WinZip, 7-zip or your favourite decompression software. A directory called RequestCert will be created with the following files:

• RequestCert.bat : This is the MS-DOS batch file that uses certreq.exe to automate the Certificate Request process
• RequestCert.inf : This is the setup file containing information required by certreq.exe.
• certreq.exe : Microsoft tool (bundled with Windows SDK) 

(2)    Edit RequestCert.bat and set the value for the variables CA_SERVER (FQDN/IP/hostname of the CA server) and CA_NAME (Name of the CA).

(3)    Edit RequestCert.inf and set the value of CertificateTemplate, if required.

(4)    Execute RequestCert.bat

NOTE: RequestCert.bat met my requirement which was really basic. You may amend the script and the INF file to automate Certificate Requests for other requirements.