Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3031: Duplicate certificates are enrolled at every GP update

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:13 AM

Applies to: Centrify DirectControl 5.1.0 on Red Hat and Mac OS platforms
 
Question:
 
After updating the DirectControl agent to version 5.1.0, it was found that some certificates were constantly being enrolled as a new again at every group policy refresh. This results in the certificates being duplicated in the system keychain every time.
 
Is there anyway to prevent this from happening?
 
Answer:
 
A change to the certificate processor in 5.1.0 caused the Centrify agent to read the wrong filename for the certificate. This in turn caused it to incorrectly assume that the certificate had not yet been enrolled into the keychain, when in fact the certificate was correctly enrolled the first time.
 
 
Attached to the end of this KB is a patch to resolve the issue (510.certgp.tar.gz), use the following steps to apply the patch on a single machine:
 
1. Login to the system as root and delete the duplicated certificates currently present in the keychain.
 
2. Backup the following files to a separate directory: 
 
  mkdir /usr/share/centrifydc/backup 
  mv /usr/share/centrifydc/mappers/machine/certgp.pl /usr/share/centrifydc/backup/certgp.pl 
  mv /usr/share/centrifdc/sbin/get_crl.pl /usr/share/centrifydc/backup/get_crl.pl 
 
3. Save the attached patch to the /tmp/ directory and run the following commands: 
 
  cd /usr/share/centrifydc 
  tar -zxvf /tmp/510.certgp.tar.gz 
 
4. Remove the existing certs and run adgpupdate twice:
 
  rm -f /var/centrify/net/certs/* 
  adgpupdate 
  adgpupdate 
 
5. Check the Keychain again and the certificates should no longer be duplicated. 
 
 
Once the fix has been verified, the patch can be deployed to multiple machines via Group Policy:
 
a) Use the Copy File group policy to push the patch and deploy.txt script out to the /tmp/ folder of the targeted systems: 
 
  Computer Configuration / Centrify Settings / Common UNIX Settings / "Copy files" 
 
b) Enter the following command into the "Specify commands to run" GP (also in Common UNIX Settings): 
 
  sh /tmp/deploy.txt 
 
c) After the above policies have been given a chance to be pushed out to all affected systems, make sure to turn them off since the patch only needs to be applied once. 
 
 
This issue has been fixed in DirectControl 5.1.1

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.