Use the vascert command line utility to manually perform Certificate Autoenrollment.
To perform Certificate Autoenrollment processing manually
- Decide whether you want to pulse Certificate Autoenrollment for the machine or a specific user.
-
To pulse Certificate Autoenrollment for the machine, run the following command as root (or using sudo):
/opt/quest/bin/vascert pulse
NOTE: To pulse certificate enrollment for the machine, you must run the command with root privileges. This is mostly useful for troubleshooting. In some cases (such as when logging in by means of SSH), this will not result in successful certificate enrollment because the System.keychain cannot export existing private keys required for certificate renewal processing. If you just want to run Certificate Autoenrollment processing for the machine and you are not interested in the output, use vascert trigger instead.
-
To pulse Certificate Autoenrollment for a specific user, log in as that user and run the following command:
/opt/quest/bin/vascert pulse
NOTE: Use the GUI to log in as the user. This ensures that the user's keychain is unlocked so that enrolled certificates can be exported and imported. Logging in by other means, such as SSH, is generally not sufficient and may lead to errors when the certstore-mac.sh script invokes the /usr/bin/security tool.
If you are using One Identity Authentication Services 4.1 (or later), Certificate Autoenrollment is configured automatically by Group Policy. Use the vgptool command line utility to manually apply Group Policy.
To manually apply Group Policy
-
Decide whether you want to apply machine policy or user policy.
NOTE: Machine policy affects the entire system; User policy only affects the specified user.
-
To apply machine policy, enter the following command as root (or using sudo):
/opt/quest/bin/vgptool apply
The terminal displays policy processing results.
-
To apply user policy, enter the following command as root (or using sudo):
/opt/quest/bin/vgptool apply -u <username>
The terminal displays policy processing results.
vascert is the Certificate Autoenrollment command line tool for certificate enrollment. With vascert you can configure various aspects of Certificate Autoenrollment. You can manually trigger certificate enrollment processing. vascert is also helpful for troubleshooting various network and authentication problems that may occur.
This command reference details the command line usage for vascert.
Related Topics
vascert command reference
vascert commands and arguments
vascert is the Certificate Autoenrollment processor.
Synopsis
vascert [-d <debug level [1-6]>] [-b] [-h <command>] <command [command options]>
Overview
vascert is the Certificate Autoenrollment processor for Unix clients.
Commands
To run vascert, specify one or more general options, then specify a specific command which may have further options and arguments.
Table 3: vascert commands
|
clean |
Clears certificate enrollment state information. |
|
configure |
Allows you to configure Certificate Autoenrollment settings. |
|
importca |
Imports trusted root CA certificates based on policy. |
|
info |
Dumps the contents of a policy template. |
|
list |
Lists all configured policy template names. |
|
pulse |
Performs Certificate Autoenrollment processing. |
|
renew |
Renews an existing certificate based on a policy template. |
|
server |
Manages local policy server configuration. |
|
trigger |
Triggers machine-based Certificate Autoenrollment policy processing. |
|
unconfigure |
Allows you to un-configure Certificate Autoenrollment settings. |
Common options
The following options can be passed to all vascert commands. Specify these options before the command name.
[-d <debug level [1-6]> ]
Prints additional information according to debug level, higher debug level prints more output.
[-b]
Do not display banner text.
[-h <command>]
Display help for a particular command.
Related Topics
vascert commands and arguments
