Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7973: How to configure Linux machine trusted certificate chain to perform enrollment for Centrify Agent

Centrify Privilege Service ,  

6 January,17 at 09:21 AM

Applies to Centrify Privilege Service
 
Question:

How to configure Linux machine's trusted certificate chain to perform enrollment for Centrify Agent?
 
Answer:
  1. Add the Root CA certificate as trusted certificate chain in Linux
             a. Place the saved Root CA certificate to Linux machines 

             Note 1: If the default certificates installed with Centrify Identity Platform are being used, please place the root CA certificate from the below location onto Linux machine instead:
                         C:\<Centrify Identity Platform installation location>\config\root_ca_public_certificate
 
             Note 2: If using custom certificate, please check KB-7871 on how to configure and export the custom certificates for Centrify Identity Platform.
 
             b. On the Linux box, run the following command to change the certificate format into .pem format:
                    #openssl x509 –inform der –in <rootca>.cer –out <rootca>.pem
 
             c. Run the commands below based on different platform to update the trust certificate: 

                      -  RHEL/Centos/Oracle Linux 6 or above:
                         #cp <rootca>.pem /etc/pki/ca-trust/source/anchors/
                         #update-ca-trust enable
                         #update-ca-trust extract
                         #update-ca-trust

                      -  Amazon Linux:
                         #cp <rootca>.pem /etc/pki/ca-trust/source/anchors/
                         #update-ca-trust enable
                         #update-ca-trust extract
                         #update-ca-trust
 
              Note: If Centrify DirectControl Agent is also installed, run “adgpupdate” instead of performing the above steps and it will import the root CA certificate to the default location of trusted CA chain of systems. When using Centrify Identity Platform root CA certificate, please import the certificate using the Group Policy below:
                        Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities

                      - Ubuntu:
                         #sudo cp <rootca>.pem /usr/local/share/ca-certificates/<rootca>.crt
                         #update-ca-certificates

                      - SUSE:
                         #sudo cp <rootca>.pem /etc/pki/trust/anchors/
                         #sudo update-ca-certificates
   
       2. Using Centrify Agent (available 16.11 or above) to enroll the Linux machine:
  • Download the Centrify Agent and install it on Linux machine
  • Run the command below to enroll (for details please check for the help page of the command cenroll)
             Example:
                #cenroll -u <user> -a <ip of the host> -t <tenant url>
 
               Note: If you are have Centrify Toolkit installed (to be deprecated in 16.12), please check KB-7968 for reference.

For instructions on updating the host certificate for Centrify Identity Platform, please check KB-7991
For instructions on configuring the self-signed certificate for Centrify Identity Platform, please check KB-7871
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal? articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-7871: How to configure and export custom certificate for Centrify Agent articleKB-4275: How to setup a user-authentication certificate for auto-enrollment for Mac OS X. articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6041: How to show current license type in use by adclient? articleKB-6040: How to change the license type in use after adclient successful joined to the AD?