Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

[HOWTO] Identify all the required MFA certificates

Privileged Access Service ,  

28 September,20 at 10:00 PM

What Certificates are needed?:

MFA requires two certificates.

    • The root (issuer) Certificate for the connector. 
    • The issuer certificate for the tenant Website (podscape - Public_root_certificate (digicert).

       By default the podscape root cert is DigiCert and the tenant root CA is "Tenant Customer AAP0825"

Website Certificate Chain:
       User-added image
Connector's Chain (Installed on host FQDN:
User-added image

What if Customer is using Custom Certificates. Where can I check?
Cloud Website Certificate (CPS on Prem):

  • Log into the Tenant using a browser
  • Select the Lock Icon -> View certificate
User-added image

Connector Certificate

  • Open a browser and search:
  • https://<FQDN of connector>:8443/Iwa/sitecheck
  • Enter credentials
  • Select the lock icon -> view certificate
User-added image

Where we check for the pod root Cert:

By Default we check for the DigiCert (podscape Root cert) in the ca-bundle location for the OS in question. 

We check the following locations by default:

  • /etc/ssl/certs/ca-certificates.crt
  • /etc/pki/tls/certs/ca-bundle.crt (RedHat & Centos)
  • /user/share/ssl/certs/ca-bundle.crt
  • /usr/local/share/certs/ca-root-nss.crt
  • /etc/ssl/cert.pem (AIX)
  • /etc/certs/ca-certificates.crt (Solaris)

Custom Location:

In /etc/centrifydc/centrifydc.conf add the location to the following parameter:

  • <Location of CA cert> 

Where we check for the Connector Certificate:

  • GP will place the certificates in: /var/centrify/net/certs and create a symlink with open permissions.
  • The certificate is also added to the computers ca-bundle.crt. On linux this is located in /etc/ssl/certs/ca-bundle.crt.
  • This file is a pointer to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
  • If you were to search both of these files you would find the content of the cert in the bundle. 

For simplicity we encourage user to place certs into Group Policy or run our script to automatically do this for the user.