Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-22952: After upgrading to 19.6 on Solaris 11.x, ca-certificate service goes into a degraded state

Authentication Service ,  

14 April,20 at 01:00 PM


After upgrading the centrifydc agent to version 19.6 on a Solaris 11.x machine, the svc:/system/ca-certificates:default service goes into a degraded state, due to duplicate certificates in the certificate store.
root@server02:~$ svcs -xv
svc:/system/ca-certificates:default (CA Certificates Service)
State: degraded since October 22, 2019 at 10:11:00 AM MDT
Reason: Degraded by service method: "Duplicate CA certificates /etc/certs/CA/Acme_Root_Certification_Authority.pem and /etc/certs/CA/trust_3AF427FE720C3AD144068DE81E57EFBG931267A1.pem both link to /etc/openssl/certs/0123456.1. ."
See: man -M /usr/share/man -s 5openssl x509v3_config
See: /var/svc/log/system-ca-certificates:default.log
Impact: Some functionality provided by the service may be unavailable.


In the 19.6 release, Centrify added a group policy mapper script for the agent to put AD certificates into the default Solaris cerificate store (/etc/certs/CA/), as this is needed for MFA to work correctly. In previous versions of CentrifyDC, the AD certificates were not put the correct location and had to be manually added.

Currently, the group policy mapper script does not check to see if the same certificate exists before adding it to the certificate store, thus potentially causing the svc:/system/ca-certificates:default service to go into a degraded state due to duplicate certificates.


1. If using Multi-Factor Authentication (MFA) , remove the duplicate certificate that is not from coming from AD via the CentrifyDC agent. The certs from Centrify will be named with the following naming syntax, trust_<certThumbprint>.pem


2. If not using Centrify MFA, the mapper script to pull down certificates from AD can be disabled.

See KB-11019: How to disable Group Policy mapper script of DirectControl agent for steps to disable the mapper script.
On Solaris the mapper script is:


This will be fixed in a future release of Centrify Infrastructure Services.