Use the vascert command line utility to configure your machine for Certificate Autoenrollment. Your computer must be joined to the Active Directory domain where your certificate enrollment policy server resides.
NOTE: Unless you are using Group Policy, machine processing must be triggered manually using the vascert trigger command. You can schedule this command to run at an interval.
 
To configure your machine for Certificate Autoenrollment
- 
Log in as a root user or using sudo. 
- 
To configure a machine for Certificate Autoenrollment, run the following command: /opt/quest/bin/vascert server add -r <policy-server-URL>  In this command, <policy-server-URL> is the actual HTTP URL for your certificate enrollment policy server, for example: https://example.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP  
NOTE: You can configure more than one certificate enrollment policy server. If you do so, Certificate Autoenrollment will choose the most appropriate server automatically when performing certificate enrollment. 
 
  
    
Use the vascert command line utility to configure a user for Certificate Autoenrollment. The user must be an Active Directory user. Certificate Autoenrollment is not supported for local users. Your computer must be joined to the Active Directory domain where your certificate enrollment policy server resides.
NOTE: Certificate Autoenrollment will run automatically when users log in based on the /Library/LaunchAgents/com.quest.qcert.UserApply.plist file. You can change this behavior by modifying this file.
 
To configure a user for Certificate Autoenrollment
- 
Log in as a root user or using sudo. 
- 
To configure a user for Certificate Autoenrollment, run the following command: /opt/quest/bin/vascert server add -u <username> -r <policy-server-URL>  In this command, <policy-server-URL> is the actual HTTP URL for your certificate enrollment policy server, for example: https://example.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP  
NOTE: You can configure more than one certificate enrollment policy server. If you do so, Certificate Autoenrollment will choose the most appropriate server automatically when performing certificate enrollment. 
 
  
    
Normally Group Policy triggers Certificate Autoenrollment. If you are not using Group Policy, use the vascert command line utility to manually trigger Certificate Autoenrollment processing for the machine. This will result in certificates being added to the System.keychain according to enrollment policy. You can schedule this command to run periodically if desired.
To manually trigger Certificate Autoenrollment
- 
Log in as a root user or using sudo. 
- 
To manually trigger Certificate Autoenrollment, run the following command: /opt/quest/bin/vascert trigger  
 
Certificate Autoenrollment will proceed in the background. When complete, newly enrolled certificates will be installed in the System.keychain automatically. To troubleshoot Certificate Autoenrollment, run the vascert pulse command as root.
 
    
To help you troubleshoot Certificate Autoenrollment, One Identity recommends the following resolutions to some of the common errors, and methods for finding and correcting configuration problems.