Applies to: Centrify DirectControl version 4.4.3 and higher on Mac OS X
Is there a GP to install root CA certificates into the Mac system Keychain?
Yes, DirectControl looks for certificates configured in the following GP:
Computer Configuration / Windows Settings / Security Settings / Public Key Policies / Trusted Root Certification Authorities /
The certs are installed through the mapper script "mac_mapper_trustedrootca.pl
If there is no root CA cert configured, the following message is logged when running adgpudpate
with debug mode turned on:Sep 1 16:07:30 macbp mac_mapper_trustedrootca.pl: run command: [/usr/bin/security find-certificate -a -Z /Library/Keychains/System.keychain]
Sep 1 16:07:30 macbp mac_mapper_trustedrootca.pl: No trusted root CA in gp
Sep 1 16:07:30 macbp runmappers: /usr/share/centrifydc/mappers/machine/mac_mapper_trustedrootca.pl map force: Exit status 0
Microsoft Windows Server 2003 Enterprise Edition (not Standard Edition) is required able to distribute enterprise certificates - this is also required to support auto-enrollment.
The Standard Edition of Windows Server 2003 only has the "Computer" certificate template which only supports "Enroll", but not "Auto-Enroll".
This is not a Centrify limitation.