How to configure Linux machine trusted certificate chain to perform enrollment for Centrify Agent
Applies to Centrify Privilege Service
Question:
How to configure Linux machine's trusted certificate chain to perform enrollment for Centrify Agent?
Answer:
Add the Root CA certificate as trusted certificate chain in Linux
a. Place the saved Root CA certificate to Linux machines
Note 1: If the default certificates installed with Centrify Identity Platform are being used, please place the root CA certificate from the below location onto Linux machine instead: C:\<Centrify Identity Platform installation location>\config\root_ca_public_certificate
Note 2: If using custom certificate, please check KB-7871 on how to configure and export the custom certificates for Centrify Identity Platform.
b. On the Linux box, run the following command to change the certificate format into .pem format: #openssl x509 –inform der –in <rootca>.cer –out <rootca>.pem
c. Run the commands below based on different platform to update the trust certificate:
- RHEL/Centos/Oracle Linux 6 or above: #cp <rootca>.pem /etc/pki/ca-trust/source/anchors/ #update-ca-trust enable #update-ca-trust extract #update-ca-trust
Note: If Centrify DirectControl Agent is also installed, run “adgpupdate” instead of performing the above steps and it will import the root CA certificate to the default location of trusted CA chain of systems. When using Centrify Identity Platform root CA certificate, please import the certificate using the Group Policy below: Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities
2. Using Centrify Agent (available 16.11 or above) to enroll the Linux machine:
Download the Centrify Agent and install it on Linux machine
Run the command below to enroll (for details please check for the help page of the command cenroll)
Example: #cenroll -u <user> -a <ip of the host> -t <tenant url>
Note: If you are have Centrify Toolkit installed (to be deprecated in 16.12), please check KB-7968 for reference.
For instructions on updating the host certificate for Centrify Identity Platform, please check KB-7991 For instructions on configuring the self-signed certificate for Centrify Identity Platform, please check KB-7871