Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2115: Is there a GP to install root CA certificate into Mac system keychain?

Mac & PC Management Service ,  

12 April,16 at 11:02 AM

Applies to: Centrify DirectControl version 4.4.3 and higher on Mac OS X


Is there a GP to install root CA certificates into the Mac system Keychain?


Yes, DirectControl looks for certificates configured in the following GP:

  Computer Configuration / Windows Settings / Security Settings / Public Key Policies / Trusted Root Certification Authorities /

The certs are installed through the mapper script "".
If there is no root CA cert configured, the following message is logged when running adgpudpate with debug mode turned on:

Sep 1 16:07:30 macbp[10861][10865]: run command: [/usr/bin/security find-certificate -a -Z /Library/Keychains/System.keychain]
Sep 1 16:07:30 macbp[10861][10867]: No trusted root CA in gp
Sep 1 16:07:30 macbp runmappers[10560][10868]: /usr/share/centrifydc/mappers/machine/ map force: Exit status 0

Microsoft Windows Server 2003 Enterprise Edition (not Standard Edition) is required able to distribute enterprise certificates - this is also required to support auto-enrollment.
The Standard Edition of Windows Server 2003 only has the "Computer" certificate template which only supports "Enroll", but not "Auto-Enroll". 

This is not a Centrify limitation.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.