Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8491: Add root certificates in Linux/Unix without using GP for MFA

Authentication Service ,  

20 September,18 at 04:56 PM

How to:

How can one add a certificate to Linux/Unix without using Group Policy?

Steps:

Export the certificate:
1. Select the trusted root certificate you downloaded, right-click, then click Open.
2. Click the Details tab and click Copy to file to start the Certificate Export Wizard, then click Next.
3. Select DER encoded binary X.509 (.CER) as the file format, then click Next and Save the certificate. 

Move the certificate to the server:
4. Place the certificate in /var/centrify/net/certs/ on the local Linux/Unix server.

Version 5.4.2 and greater:
 5. Edit /etc/centrifydc/centrifydc.conf
 6. To add certificates:
Add name/s of cert/s to: gp.mappers.certgp.pl.additional.cafiles: sample.cer
   To exclude certificates:
Add name/s of cert/s to: gp.mappers.certgp.pl.exclude.cacerts: sample.cer
 7. Run adreload and adgpupdate

Version 5.4.1 and below:
Replace and edit certgp.pl:
5. Replace /usr/share/centrifydc/mappers/machine/certgp.pl with the patched one attached to this KB. If you make a backup ensure its in a different location. If this is in the same location this will break and not work.
6. Edit certgp.pl - change test.cert to the name of your cert from step 4.
my @additional_certs = (
"test.cert",
);
7. Make sure the script is executable: 
chmod 755 certgp.pl

Update and Verify:
7. adgpupdate
8. Verify Cert is in /var/centrify/net/certs/ with symbolic links created.

Additionally:
One can exclude certain certificates using the certificates fingerprint. Change the following in certgp.pl:
my @excluded_cert_fingerprints = (
#"8317DBD51291437B7F378E55DCB73E086D03A4C6",
#"D53BD95928D5FEB3761E845DF90BE4571E760B7E",
);
Attachments:
test.certgp.pl

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-7393: How to configure the updated 2016.1 DirectControl agent to support MFA over HTTPS to the Cloud Connector articleKB-6642: Getting started with 802.1X for Mac - Configuration Overview articleKB-3925: How to add Centrify parameter to a group policy articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-8961: MFA with DirectControl fails after upgrading to 5.4.1 or greater articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-7934: How to import IWA root certificate manually to enable Windows MFA