Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-7973: How to configure Linux machine trusted certificate chain to perform enrollment for Centrify Agent

Privileged Access Service ,  

6 January,17 at 09:21 AM

Applies to Centrify Privilege Service

How to configure Linux machine's trusted certificate chain to perform enrollment for Centrify Agent?
  1. Add the Root CA certificate as trusted certificate chain in Linux
             a. Place the saved Root CA certificate to Linux machines 

             Note 1: If the default certificates installed with Centrify Identity Platform are being used, please place the root CA certificate from the below location onto Linux machine instead:
                         C:\<Centrify Identity Platform installation location>\config\root_ca_public_certificate
             Note 2: If using custom certificate, please check KB-7871 on how to configure and export the custom certificates for Centrify Identity Platform.
             b. On the Linux box, run the following command to change the certificate format into .pem format:
                    #openssl x509 –inform der –in <rootca>.cer –out <rootca>.pem
             c. Run the commands below based on different platform to update the trust certificate: 

                      -  RHEL/Centos/Oracle Linux 6 or above:
                         #cp <rootca>.pem /etc/pki/ca-trust/source/anchors/
                         #update-ca-trust enable
                         #update-ca-trust extract

                      -  Amazon Linux:
                         #cp <rootca>.pem /etc/pki/ca-trust/source/anchors/
                         #update-ca-trust enable
                         #update-ca-trust extract
              Note: If Centrify DirectControl Agent is also installed, run “adgpupdate” instead of performing the above steps and it will import the root CA certificate to the default location of trusted CA chain of systems. When using Centrify Identity Platform root CA certificate, please import the certificate using the Group Policy below:
                        Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities

                      - Ubuntu:
                         #sudo cp <rootca>.pem /usr/local/share/ca-certificates/<rootca>.crt

                      - SUSE:
                         #sudo cp <rootca>.pem /etc/pki/trust/anchors/
                         #sudo update-ca-certificates
       2. Using Centrify Agent (available 16.11 or above) to enroll the Linux machine:
  • Download the Centrify Agent and install it on Linux machine
  • Run the command below to enroll (for details please check for the help page of the command cenroll)
                #cenroll -u <user> -a <ip of the host> -t <tenant url>
               Note: If you are have Centrify Toolkit installed (to be deprecated in 16.12), please check KB-7968 for reference.

For instructions on updating the host certificate for Centrify Identity Platform, please check KB-7991
For instructions on configuring the self-signed certificate for Centrify Identity Platform, please check KB-7871