(Optional) Uncheck "Include email in subject name" and "Email name" checkboxes. (Doing this removes the requirement for the AD user to need an email address).
Certification Authority > [ domain ] > Right-click Certificate Templates > New > Certificate Template to Issue > Find the new template and add it in.
Enable the Group Policy at:
User Configuration / Windows Settings / Security Settings / Public Key Policies / "Autoenrollment Settings"
User Configuration / Windows Settings / Security Settings / Public Key Policies / "Certificate Services Client - Auto-Enrollment Settings"
Select the renew and update options as needed.
On the Mac side:
Log into Mac as Local Admin and open Terminal:
Log into Mac as AD user and open Terminal:
On agent versions 5.2.1 and below - the certs should now show up in the ~/.centrify/ directory. On agent versions 5.2.2 and above - as part of a security enhancement, the user certs will now only download when the AD user logs in via the GUI login window. This means after running the GP update, have the AD user logout and log back in to immediately retrieve their user certs. Additionally - only the .cert file will appear in the ~/.centrify/ directory, The .key and .chain files are no longer used in the latest versions.
ls -l ~/.centrify/
You can also check the Keychain Access login keychain for the certificate:
As mentioned in Step 3 of the Mac-side steps above - as of version 5.2.2 - user-certificates are now only enrolled when a user does a Connected login from the GUI login screen.
This means remote users who initially do an offline cached login, and then go into Connected mode AFTER they are already logged in (i.e. VPN users) will not see their user certs at login.
For remote users, use the following sequence:
Do a cached login into the Mac
Bring the Centrify agent into Connected mode
Open Terminal and run the commands exactly as shown: