Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-6333: Group Policy does not update System default certificate and CRL store that cURL uses

Centrify DirectControl ,  

23 February,16 at 07:40 PM

Applies to:

Centrify DirectControl 5.2.3 on All Versions of RedHat Enterprise Linux


CA root certificates pushed via GPO are being copied to folder /var/centrify/net/certs/, but the certs are not being appended to the /etc/pki/tld-ca-bundle.cert files.

When running the curl command getting the following error:

[root@centrify /]# curl
curl: (77) error setting certificate verify locations:
CAfile: /usr/share/centrifydc/certs/ca-certs.crt
CApath: none


With Centrify's distribution of cURL versions 5.2.3 and earlier, a non-standard CA store is referenced instead of the default CA store. (/usr/share/centrifydc/certs/ca-certs.crt)

On RHEL, cURL is configured by default to point to the ca cert path, /etc/pki/tls/certs/ca-bundle.crt, unless it is configured with a different path via the '--with-ca-bundle' option. This matches the default for openssl.

When curl is run without --cacert option, the GPO pushed CA root cert is not in the default ca-bundle.crt, thus causing failed SSL verification.


Apply '' patch attached to this KB

This patch contains the modified version of and the curl wrapper script, that will append the CA root certificate to the system default store. (/etc/pki/tls/certs/ca-bundle.crt)

After unzipping the package, please:
  1. copy the to /usr/share/centrifydc/mappers/machine/
  2. copy the curl to /usr/share/centrifydc/bin/

To apply the changes immediately:
  • Run '/usr/bin/adgpupdate'

To verify:
  • Check /etc/pki/ca-trust/source/anchors/ to list the files. The pushed GPO trusted certificates are named as trust_*.cert.


This is fixed in version 5.3.0 of Centrify DirectControl (Suite 2016)


There are a few limitations with this workaround and fix :
  1. Centrify only supports /etc/pki/tls/certs/ca-bundle.crt as the default system store location. For cURL that is pre-built with location other than the default, users should use --CAfile <to-store> to overwrite when invoking cURL.
  2. For openssl s_client, the -CAfile option will need to be used to point to the default store, /etc/pki/tls/certs/ca-bundle.crt. This limitation is from openssl s_client command.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles