Normally Group Policy triggers Certificate Autoenrollment. If you are not using Group Policy, use the vascert command line utility to manually trigger Certificate Autoenrollment processing for the machine. This will result in certificates being added to the System.keychain according to enrollment policy. You can schedule this command to run periodically if desired.
To manually trigger Certificate Autoenrollment
-
As root (or using sudo), run the following command to manually trigger Certificate Autoenrollment:
/opt/quest/bin/vascert trigger
Certificate Autoenrollment will proceed in the background. When complete, newly enrolled certificates will be installed in the System.keychain automatically. To troubleshoot Certificate Autoenrollment, run the vascert pulse command as root.
To help you troubleshoot Certificate Autoenrollment, One Identity recommends the following resolutions to some of the common errors, and methods for finding and correcting configuration problems.
As mentioned in the Certificate Autoenrollment on macOS section, some important Certification Autoenrollment commands, such as vascert pulse, will NOT work until the necessary platform-specific functionality has been implemented in certstore-DEV.sh. For more information on modifying certstore-DEV.sh and a simple example script, see the Examples and further explanation for modifying certstore-DEV.sh on Linux and Unix (284711) KB article.
Until the certstore-DEV.sh script is modified, the following issues will happen when running vascert pulse:
<VASCERT PULSE COMMAND>
$ vascert pulse
vascert: One Identity Certificate Autoenrollment version 1.1.0.750
Copyright 2017 Quest Software Inc. ALL RIGHTS RESERVED.
Processing enrollment policy: dc1.domain.com
Process exited with an error (Exit value: 1), command was: [/var/opt/quest/vascert/script/certstore.sh, export-machine-certs, /tmp/6353628018779558796pk12, mdzDFXBD7znDYDO8B]
</VASCERT PULSE COMMAND>
The output shows which script vascert ran and the parameters passed to the script. As previously mentioned, certstore.sh calls (on all platforms other than macOS) certstore-DEV.sh. In the example above, certstore.sh calls into certstore-DEV.sh's exportMachineCerts function. By default, that function only returns a 1 indicating an error as shown here:
exportMachineCerts()
{
echo "=== UNIMPLEMENTED exportMachineCerts'()' ==="
exit 1
}
See the Examples and further explanation for modifying certstore-DEV.sh on Linux and Unix (284711) KB article for a deeper understanding of that function, expected parameters, and an example for using that function. As long as that function returns '1', autoenrollment will cease at this point and vascert will not enroll for a new certificate. Because this is the first step of many, see the KB article for other functions that need to be modified and examples on how to do so.
You can enable full debug logging for all Certificate Autoenrollment components using the vascert command line utility.
If debug logging is configured, Group Policy extensions, the vascert tool, and launchd write log files in /Library/Preferences/com.quest.X509Enrollment/log for machine enrollment and ~/Library/Preferences/com.quest.X509Enrollment/log for user enrollment. You can enable debug logging for all of these components.
To enable debug logging
-
As root, run the following command to configure debug logging for all users:
/opt/quest/bin/vascert configure debug
-
To configure debug logging for a specific user, log in as that user and run the same command.
NOTE: Enabling debug logging causes the vascert command to write debug messages to a file in addition to stdout. Even after you enable debug logging, you must set the debug level using the -d command line option when running vascert commands manually.
-
When you are finished debugging, run the following command as root to turn off debug logging for all users. One Identity recommends that you turn off debug logging to improve performance and conserve disk space.
/opt/quest/bin/vascert unconfigure debug
- To turn off debug logging for a specific user, log in as that user and run the same command.