Chat now with support
Chat with Support

Safeguard Authentication Services 6.0.1 - Administration Guide

Privileged Access Suite for UNIX Introducing One Identity Safeguard Authentication Services UNIX administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing UNIX hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts UNIX policies One Identity policies
Display specifiers Troubleshooting Glossary

Using Certificate Autoenrollment

Certificate Autoenrollment is an automatic process that runs as-needed on client systems according to Group Policy or according to manual configuration if you are not using Group Policy. Certificate Autoenrollment typically requires no user interaction. After Certificate Autoenrollment is complete, certificates appear in the user's keychain for user-based enrollment or in the system keychain for machine-based enrollment.

Certificate Autoenrollment runs when:

  • A user logs in

  • Group Policy machine processing occurs (at machine startup and periodically thereafter)

  • vascert trigger runs manually (for machine-based enrollment)

If Group Policy is in use and a Certificate Services Client - Auto-Enrollment Group Policy indicates that Certificate Autoenrollment should occur, then the Certificate Autoenrollment client runs. The Certificate Autoenrollment client then downloads and evaluates Certificate Autoenrollment policy and uses this information to determine whether any certificates should be enrolled.

The following sections explain how to manually configure Certificate Autoenrollment if you are not using Group Policy. In most cases you will use the /opt/quest/bin/vascert command, the Certificate Autoenrollment processor for UNIX and Mac clients.

Configuring Certificate Autoenrollment manually

Once Certificate Autoenrollment is installed, you must configure your machine to use it. If you are using One Identity Safeguard Authentication Services with Group Policy, then skip the manual configuration described in this section as Group Policy performs these tasks automatically.

NOTE: macOS: Group Policy functionality is not available when used with the Apple Directory Services plug-in. When Group Policy is not available, you must manually configure certificate enrollment policy servers and schedule machine certificate enrollment to run on an interval if desired.

Related Topics

Configure a machine for Certificate Autoenrollment

Configure a user for Certificate Autoenrollment

Trigger machine-based Certificate Autoenrollment

Configure a machine for Certificate Autoenrollment

Use the vascert command line utility to configure your machine for Certificate Autoenrollment. Your computer must be joined to the Active Directory domain where your certificate enrollment policy server resides.

NOTE: Unless you are using Group Policy, machine processing must be triggered manually using the vascert trigger command. You can schedule this command to run at an interval.

To configure your machine for Certificate Autoenrollment

  1. Log in as a root user or using sudo.

  2. To configure a machine for Certificate Autoenrollment, run the following command:

    /opt/quest/bin/vascert server add -r <policy-server-URL>

    In this command, <policy-server-URL> is the actual HTTP URL for your certificate enrollment policy server, for example:

    https://example.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP

    NOTE: You can configure more than one certificate enrollment policy server. If you do so, Certificate Autoenrollment will choose the most appropriate server automatically when performing certificate enrollment.

Configure a user for Certificate Autoenrollment

Use the vascert command line utility to configure a user for Certificate Autoenrollment. The user must be an Active Directory user. Certificate Autoenrollment is not supported for local users. Your computer must be joined to the Active Directory domain where your certificate enrollment policy server resides.

NOTE: macOS: Certificate Autoenrollment will run automatically when users log in based on the /Library/LaunchAgents/com.quest.qcert.UserApply.plist file. You can change this behavior by modifying this file.

To configure a user for Certificate Autoenrollment

  1. Log in as a root user or using sudo.

  2. To configure a user for Certificate Autoenrollment, run the following command:

    /opt/quest/bin/vascert server add -u <username> -r <policy-server-URL>

    In this command, <policy-server-URL> is the actual HTTP URL for your certificate enrollment policy server, for example:

    https://example.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP

    NOTE: You can configure more than one certificate enrollment policy server. If you do so, Certificate Autoenrollment will choose the most appropriate server automatically when performing certificate enrollment.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating