BackgroundActive Directory provides a Public Key Infrastructure (PKI) capability with the Microsoft Certificate Authority. This is quite convenient to system administrators especially when combined with Group Policy since it allows for the automation of the Certificate lifecycle: issue, renew, revoke, supersede templates, etc.
We've discussed this before, but Centrified clients can also take advantage of Certificate auto-enrollment. This can happen automatically or manually using the adcert utility.
How it works?The process works as follows:
- When a system is joined to AD using Centrify, as part of the join the system will read the domain controller's SYSVOL for Group Policies. The system may download the trust chain (containing the trusted CAs or the local root CA) and any revocation information to the /var/centrify/net/certs folder.
- If the auto-enrollment policy that applies to the system points to a usable template, the agent will attempt to enroll automatically when the GPO refresh interval starts.
Note: there are different auto-enrollment GPOs depending on the version of Active Directory.
- The agent will use the computer's credentials with the adcert utility and connect to the CA or Intermediate CA to obtain a certificate set for autoenrollment.
- adcert will issue pkcs10 request for each template, if an issuing CA is found for the templates in question and the certificates, chain and private key (if defined exportable by the template) will be placed in the /var/centrify/net/certs folder with this format:
[name of template].cert
[name of template].key
[name of template].chain
Here are two video examples: