After updating the DirectControl agent to version 5.1.0, it was found that some certificates were constantly being enrolled as a new again at every group policy refresh. This results in the certificates being duplicated in the system keychain every time.
Is there anyway to prevent this from happening?
A change to the certificate processor in 5.1.0 caused the Centrify agent to read the wrong filename for the certificate. This in turn caused it to incorrectly assume that the certificate had not yet been enrolled into the keychain, when in fact the certificate was correctly enrolled the first time.
Attached to the end of this KB is a patch to resolve the issue (510.certgp.tar.gz), use the following steps to apply the patch on a single machine:
1. Login to the system as root and delete the duplicated certificates currently present in the keychain.
2. Backup the following files to a separate directory:
mv /usr/share/centrifydc/mappers/machine/certgp.pl /usr/share/centrifydc/backup/certgp.pl
mv /usr/share/centrifdc/sbin/get_crl.pl /usr/share/centrifydc/backup/get_crl.pl
3. Save the attached patch to the /tmp/ directory and run the following commands:
tar -zxvf /tmp/510.certgp.tar.gz
4. Remove the existing certs and run adgpupdate twice:
rm -f /var/centrify/net/certs/*
5. Check the Keychain again and the certificates should no longer be duplicated.
Once the fix has been verified, the patch can be deployed to multiple machines via Group Policy:
a) Use the Copy File group policy to push the patch and deploy.txt script out to the /tmp/ folder of the targeted systems:
Computer Configuration / Centrify Settings / Common UNIX Settings / "Copy files"
b) Enter the following command into the "Specify commands to run" GP (also in Common UNIX Settings):
c) After the above policies have been given a chance to be pushed out to all affected systems, make sure to turn them off since the patch only needs to be applied once.
This issue has been fixed in DirectControl 5.1.1