Use the vascert command line utility to configure a user for Certificate Autoenrollment. The user must be an Active Directory user. Certificate Autoenrollment is not supported for local users. Your computer must be joined to the Active Directory domain where your certificate enrollment policy server resides.
NOTE: macOS: Certificate Autoenrollment will run automatically when users log in based on the /Library/LaunchAgents/com.quest.qcert.UserApply.plist file. You can change this behavior by modifying this file.
To configure a user for Certificate Autoenrollment
-
As root (or using sudo), run the following command to configure a user for Certificate Autoenrollment:
/opt/quest/bin/vascert server add -u <username> -r <policy server URL>
Substitute the actual http URL for your certificate enrollment policy server for example:
https://example.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP
NOTE: You can configure more than one certificate enrollment policy server. Certificate Autoenrollment will choose the most appropriate server automatically when performing certificate enrollment.
Normally Group Policy triggers Certificate Autoenrollment. If you are not using Group Policy, use the vascert command line utility to manually trigger Certificate Autoenrollment processing for the machine. This will result in certificates being added to the System.keychain according to enrollment policy. You can schedule this command to run periodically if desired.
To manually trigger Certificate Autoenrollment
-
As root (or using sudo), run the following command to manually trigger Certificate Autoenrollment:
/opt/quest/bin/vascert trigger
Certificate Autoenrollment will proceed in the background. When complete, newly enrolled certificates will be installed in the System.keychain automatically. To troubleshoot Certificate Autoenrollment, run the vascert pulse command as root.
To help you troubleshoot Certificate Autoenrollment, One Identity recommends the following resolutions to some of the common errors, and methods for finding and correcting configuration problems.
As mentioned in the Certificate Autoenrollment on UNIX and Linux section, some important Certification Autoenrollment commands, such as vascert pulse, will NOT work until the necessary platform-specific functionality has been implemented in certstore-DEV.sh. For more information on modifying certstore-DEV.sh and a simple example script, see the Examples and further explanation for modifying certstore-DEV.sh on Linux and Unix (284711) KB article.
Until the certstore-DEV.sh script is modified, the following issues will happen when running vascert pulse:
<VASCERT PULSE COMMAND>
$ vascert pulse
vascert: One Identity Certificate Autoenrollment version 1.1.0.750
Copyright 2017 Quest Software Inc. ALL RIGHTS RESERVED.
Processing enrollment policy: dc1.domain.com
Process exited with an error (Exit value: 1), command was: [/var/opt/quest/vascert/script/certstore.sh, export-machine-certs, /tmp/6353628018779558796pk12, mdzDFXBD7znDYDO8B]
</VASCERT PULSE COMMAND>
The output shows which script vascert ran and the parameters passed to the script. As previously mentioned, certstore.sh calls (on all platforms other than macOS) certstore-DEV.sh. In the example above, certstore.sh calls into certstore-DEV.sh's exportMachineCerts function. By default, that function only returns a 1 indicating an error as shown here:
exportMachineCerts()
{
echo "=== UNIMPLEMENTED exportMachineCerts'()' ==="
exit 1
}
See the Examples and further explanation for modifying certstore-DEV.sh on Linux and Unix (284711) KB article for a deeper understanding of that function, expected parameters, and an example for using that function. As long as that function returns '1', autoenrollment will cease at this point and vascert will not enroll for a new certificate. Because this is the first step of many, see the KB article for other functions that need to be modified and examples on how to do so.