Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-8742: Smartcard Error: This certificate (or its chain) is not valid

22 May,17 at 10:49 PM

Applies to: Centrify Direct Control version 5.1 and greater on Red Hat Linux (32- or 64-bit) version 5.6 or later running the GNOME desktop.

When attempting to use a smartcard to login to a Centrified Linux system the following error is received:

This certificate (or its chain) is not valid

The user is able to successfully log-in using a smartcard on Windows. How can we address this for Linux?

This error message indicates there are missing certificates on the Linux machine for the smartcard in use. 

It is best practice, if new smart card certs are going to be added or renewed in AD, to complete the following:

  1. Remove the /etc/pam_pkcs11/cacerts directory
  2. Run 'adgpupdate' to get all the new certs links updated in the /etc/pam_pkcs11/cacerts directory.
If there are still missing certs or are still receive the same error message the adgpupdate may be timing out before it can finish. One may adjust the group policy timeout for to suite their environment. 
  1. time /usr/share/centrifydc/mappers/machine/ map force
  2. Edit the following value in /etc/centrifydc/centrifydc.conf: gp.mappers.timeout to be that of a larger number then the results of the time command.  Default timeout value is 30 seconds.
  3. Adreload
  4. Adgpupdate.
There is a corresponding Centrify Group Policy, it is a Computer GP called “Set group policy mapper execution timeout” located under: Centrify Settings / DirectControl Settings / Group Policy Settings.

For reference: