Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5926: Auto-enrolled certificates not including private key in Keychain

Centrify Identity Service, Mac Edition ,  

12 April,16 at 10:57 AM

Applies to: Centrify Identity Service with Mac versions 5.2.3 and 5.2.4

Problem:

Machine certificates have been configured according to the KB below and look to be enrolling into the Keychain correctly:
However upon closer inspection, it was discovered that the private key is not installed with the certificate:

User-added image

This is causing issues for some third-party Wi-Fi or VPN clients which require the presence of a certificate with the private key.
Previous versions of the Centrify agent were able to import the certificate with the private key.


Cause:

A new feature was introduced in version 5.2.3 to toggle the private key in auto-enrolled certificates to either be extractable or non-extractable via Group Policy:
  • Computer Configuration / Centrify Settings / Mac OS X Settings / Security & Privacy Settings / Public Key Policies / "Do not allow private key to be extractable"
  • User Configuration / Centrify Settings / Mac OS X Settings / Security & Privacy Settings / Public Key Policies / "Do not allow private key to be extractable"
However, it was found if these GPs are not enabled for their corresponding certificates, then their private keys are not imported at all.


Workaround:

Option 1:
  • Enable the following GP:
    • Computer Configuration / Centrify Settings / Mac OS X Settings / Security & Privacy / Public Key Policies / "Store private and public key in Keychain only"
  • This will allow each auto-enrolled certificate to be paired with their corresponding private key and stored directly in the Keychain.
  • If the file-based certificate and key objects are not being used, then it is recommended to always enable this policy as it also offers enhanced security by not storing the certificates as actual files on the system.


Option 2:
  • Enable the following GP:
    • Computer Configuration / Centrify Settings / Mac OS X Settings / Security & Privacy Settings / Public Key Policies / "Do not allow private key to be extractable"
  • Any existing certificates in the Keychain will need to be deleted out and then re-imported via a Group Policy refresh to be imported with the new settings.
  • This policy does mean the private keys will not be exportable, but be aware that they will still be deletable.


Option 3:
  • It has been noticed that if the 802.1x GPs are in use, then the certificates will be imported with their private keys.
  • A "dummy" 802.1x profile can therefore be created by enabling the GP at:
    • Computer Configuration / Centrify Settings / Mac OS X Settings / 802.1x Settings / "Enable Machine Ethernet Profile"
  • Insert the Certificate Template Name (not the Certificate Display Name) of the machine certificate into this box and depoy the GP.
  • After a Group Policy refresh on the Mac system, a second certificate will be loaded with the private key intact.
User-added image
 
  • Using this method will create an 802.1x Ethernet Profile in the network settings, but it is safe to ignore if only the certificate in the Keychain is needed.


Resolution:

This issue has been fixed in Centrify Suite 2016.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.