What Certificates are needed?:
MFA requires two certificates.
- The root (issuer) Certificate for the connector.
- The issuer certificate for the tenant Website (podscape - cloud.centrify.com) Public_root_certificate (digicert).
By default the podscape root cert is DigiCert and the tenant root CA is "Tenant Customer AAP0825"
Website Certificate Chain:
Connector's Chain (Installed on host FQDN: cloud.ocean.net)
What if Customer is using Custom Certificates. Where can I check?
Cloud Website Certificate (CPS on Prem):
- Log into the Tenant using a browser
- Select the Lock Icon -> View certificate
- Open a browser and search:
- https://<FQDN of connector>:8443/Iwa/sitecheck
- Enter credentials
- Select the lock icon -> view certificate
Where we check for the pod root Cert:
By Default we check for the DigiCert (podscape Root cert) in the ca-bundle location for the OS in question.
We check the following locations by default:
- /etc/pki/tls/certs/ca-bundle.crt (RedHat & Centos)
- /etc/ssl/cert.pem (AIX)
- /etc/certs/ca-certificates.crt (Solaris)
In /etc/centrifydc/centrifydc.conf add the location to the following parameter:
- adclient.cloud.cert.store: <Location of CA cert>
Where we check for the Connector Certificate:
- GP will place the certificates in: /var/centrify/net/certs and create a symlink with open permissions.
- The certificate is also added to the computers ca-bundle.crt. On linux this is located in /etc/ssl/certs/ca-bundle.crt.
- This file is a pointer to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
- If you were to search both of these files you would find the content of the cert in the bundle.
For simplicity we encourage user to place certs into Group Policy or run our certgp.pl script to automatically do this for the user.