Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7973: How to configure Linux machine trusted certificate chain to perform enrollment for Centrify Agent

Privileged Access Service ,  

6 January,17 at 09:21 AM

Applies to Centrify Privilege Service
 
Question:

How to configure Linux machine's trusted certificate chain to perform enrollment for Centrify Agent?
 
Answer:
  1. Add the Root CA certificate as trusted certificate chain in Linux
             a. Place the saved Root CA certificate to Linux machines 

             Note 1: If the default certificates installed with Centrify Identity Platform are being used, please place the root CA certificate from the below location onto Linux machine instead:
                         C:\<Centrify Identity Platform installation location>\config\root_ca_public_certificate
 
             Note 2: If using custom certificate, please check KB-7871 on how to configure and export the custom certificates for Centrify Identity Platform.
 
             b. On the Linux box, run the following command to change the certificate format into .pem format:
                    #openssl x509 –inform der –in <rootca>.cer –out <rootca>.pem
 
             c. Run the commands below based on different platform to update the trust certificate: 

                      -  RHEL/Centos/Oracle Linux 6 or above:
                         #cp <rootca>.pem /etc/pki/ca-trust/source/anchors/
                         #update-ca-trust enable
                         #update-ca-trust extract
                         #update-ca-trust

                      -  Amazon Linux:
                         #cp <rootca>.pem /etc/pki/ca-trust/source/anchors/
                         #update-ca-trust enable
                         #update-ca-trust extract
                         #update-ca-trust
 
              Note: If Centrify DirectControl Agent is also installed, run “adgpupdate” instead of performing the above steps and it will import the root CA certificate to the default location of trusted CA chain of systems. When using Centrify Identity Platform root CA certificate, please import the certificate using the Group Policy below:
                        Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities

                      - Ubuntu:
                         #sudo cp <rootca>.pem /usr/local/share/ca-certificates/<rootca>.crt
                         #update-ca-certificates

                      - SUSE:
                         #sudo cp <rootca>.pem /etc/pki/trust/anchors/
                         #sudo update-ca-certificates
   
       2. Using Centrify Agent (available 16.11 or above) to enroll the Linux machine:
  • Download the Centrify Agent and install it on Linux machine
  • Run the command below to enroll (for details please check for the help page of the command cenroll)
             Example:
                #cenroll -u <user> -a <ip of the host> -t <tenant url>
 
               Note: If you are have Centrify Toolkit installed (to be deprecated in 16.12), please check KB-7968 for reference.

For instructions on updating the host certificate for Centrify Identity Platform, please check KB-7991
For instructions on configuring the self-signed certificate for Centrify Identity Platform, please check KB-7871
 

Related Articles

 article[Howto] Spotting and Remediating issues with PKI Trust on MFA (UNIX/Linux/Windows) or Enrollment articleCentrify Agent for Windows™ Deployment Options - Introduction articleKB-12215: How to silently install the Centrify Agent for Windows™ using Group Policies for MFA and Enrollment articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out? article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleCentrify 18.8 Release Notes articleCentrify 20.7 Release Notes articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0)