Wednesday, July 8, 2015

Using Centrify with the Microsoft CA and the Autoenrollment GPO for your UNIX/Linux/Mac PKI Certificate needs

Background

Active Directory provides a Public Key Infrastructure (PKI) capability with the Microsoft Certificate Authority.  This is quite convenient to system administrators especially when combined with Group Policy since it allows for the automation of the Certificate lifecycle:  issue, renew, revoke, supersede templates, etc.



We've discussed this before, but Centrified clients can also take advantage of Certificate auto-enrollment.  This can happen automatically or manually using the adcert utility.

How it works?

The process works as follows:
  1. When a system is joined to AD using Centrify, as part of the join the system will read the domain controller's SYSVOL for Group Policies.  The system may download the trust chain (containing the trusted CAs or the local root CA) and any revocation information to the /var/centrify/net/certs folder.
  2. If the auto-enrollment policy that applies to the system points to a usable template, the agent will attempt to enroll automatically when the GPO refresh interval starts.
    Note: there are different auto-enrollment GPOs depending on the version of Active Directory.
  3. The agent will use the computer's credentials with the adcert utility and connect to the CA or Intermediate CA to obtain a certificate set for autoenrollment.
  4. adcert will issue pkcs10 request for each template, if an issuing CA is found for the templates in question and the certificates, chain and private key (if defined exportable by the template) will be placed in the /var/centrify/net/certs folder with this format:
    [name of template].cert
    [name of template].key
    [name of template].chain
Once the certificate is in your system, you may be able to use it as is, or you may have to change the encoding using OpenSSL tools.

Here are two video examples:

Using Auto-enrollment for your Apache HTTPS certs




Using Auto-enrollment with Mac OS X Systems




No comments:

Post a Comment