Node self enrollment

With self enrollment, you use the chef-node-enrollment-cli CLI to enroll your nodes with Chef 360 Platform. The CLI registers the node and sets up all the required binaries on the node.

Self enrollment fully enrolls nodes.

Requirements

You need an application key and its signed-config file from Chef 360 Platform.
You need access to the chef-node-enrollment-cli CLI on the node you want to enroll.

Enroll nodes

To use self enrollment, the chef-node-enrollment CLI requires an application key’s signed config file.

Self enroll scenarios

The following scenarios are supported for self enrollment:

The application key has cohort as “*”:
- With self-signed tenant certificates
- With public tenant certificates
The application key has cohort as a UUID:
- With self-signed tenant certificates
- With public tenant certificates

Note

You must include rootCA bundles in the system when you use certificates with the tenant setup. Chef 360 Platform supports only setups with certificates that include a rootCA.

Enroll Linux nodes

To enroll your linux nodes, select one of the scripts based on your scenario and execute it on your node. Execute these commands as a root user.

Cohort:'*' with self-signed certs
Cohort:'*' with public certs and http
Cohort:UUID with self-signed certs
Cohort:UUID with public certs and http

# Code for Cohort:'*' with self-signed certs
export SERVER="<SERVER_FQDN>"
curl -sk "$SERVER/platform/bundledtools/v1/static/install.sh" | TOOL="chef-node-enrollment-cli" SERVER="$SERVER" VERSION="latest" bash -
echo "<SIGNED_CONFIG_FILE_CONTENTS>" > /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt
export COHORT_ID="<COHORT_ID>"
echo "Running: node enrollment"
chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt --insecure

# Code for Cohort:'*' with public certs and http
export SERVER="<SERVER_FQDN>"
curl -sk "$SERVER/platform/bundledtools/v1/static/install.sh" | TOOL="chef-node-enrollment-cli" SERVER="$SERVER" VERSION="latest" bash -
echo "<SIGNED_CONFIG_FILE_CONTENTS>" > /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt
export COHORT_ID="<COHORT_ID>"
echo "Running: node enrollment"
chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt

# Code for Cohort: UUID with self-signed certs
export SERVER="<SERVER_FQDN>"
curl -sk "$SERVER/platform/bundledtools/v1/static/install.sh" | TOOL="chef-node-enrollment-cli" SERVER="$SERVER" VERSION="latest" bash -
echo "<SIGNED_CONFIG_FILE_CONTENTS>" > /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt
echo "Running: node enrollment"
chef-node-enrollment-cli enroll-node --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt --insecure

# Code for Cohort: UUID with public certs and http
export SERVER="<SERVER_FQDN>"
curl -sk "$SERVER/platform/bundledtools/v1/static/install.sh" | TOOL="chef-node-enrollment-cli" SERVER="$SERVER" VERSION="latest" bash -
echo "<SIGNED_CONFIG_FILE_CONTENTS>" > /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt
echo "Running: node enrollment"
chef-node-enrollment-cli enroll-node --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt

Replace the following in the scripts above:

<SERVER_FQDN>: Enter the fully qualified domain name of your Chef 360 Platform Server with protocol.
<COHORT_ID>: Enter the Cohort ID for your self node enrollment. Only use this variable in scripts where you see export COHORT_ID or the --cohortId flag. If the script doesn’t include these, you don’t need to specify a Cohort ID.
<SIGNED_CONFIG_FILE_CONTENTS>: Paste the contents of your signed-config file (provided with your application key rotate) between the quotes. This file contains the configuration required for node enrollment.

Enroll Windows nodes

To enroll your Windows nodes, select the script that matches your scenario and run it on your node. Execute these commands in Powershell with administrator privileges.

Cohort:'*' with self-signed certs
Cohort:'*' with public certs and http
Cohort:UUID with self-signed certs
Cohort:UUID with public certs and http

$code= @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
Add-Type -TypeDefinition $code -Language CSharp
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls13
$SERVER="<SERVER_FQDN>"
$env:TOOL="chef-node-enrollment-cli"; $env:SERVER="$SERVER"; Invoke-WebRequest -Uri "$SERVER/platform/bundledtools/v1/static/install.ps1" -UseBasicParsing | Invoke-Expression
"<SIGNED_CONFIG_FILE_CONTENTS>" | Out-File -FilePath "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" -Encoding ascii
#Set CohortId
$COHORT_ID=""
Write-Host "Running: node enrollment"
chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" --insecure

$SERVER="<SERVER_FQDN>"
$env:TOOL="chef-node-enrollment-cli"; $env:SERVER="$SERVER"; Invoke-WebRequest -Uri "$SERVER/platform/bundledtools/v1/static/install.ps1" -UseBasicParsing | Invoke-Expression
"<SIGNED_CONFIG_FILE_CONTENTS>" | Out-File -FilePath "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" -Encoding ascii
# Set CohortId
$COHORT_ID=""
Write-Host "Running: node enrollment"
chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt"

$code= @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
Add-Type -TypeDefinition $code -Language CSharp
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls13
$SERVER="<SERVER_FQDN>"
$env:TOOL="chef-node-enrollment-cli"; $env:SERVER="$SERVER"; Invoke-WebRequest -Uri "$SERVER/platform/bundledtools/v1/static/install.ps1" -UseBasicParsing | Invoke-Expression
"<SIGNED_CONFIG_FILE_CONTENTS>" | Out-File -FilePath "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" -Encoding ascii
Write-Host "Running: node enrollment"
chef-node-enrollment-cli enroll-node --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" --insecure

$SERVER="<SERVER_FQDN>"
$env:TOOL="chef-node-enrollment-cli"; $env:SERVER="$SERVER"; Invoke-WebRequest -Uri "$SERVER/platform/bundledtools/v1/static/install.ps1" -UseBasicParsing | Invoke-Expression
"<SIGNED_CONFIG_FILE_CONTENTS>" | Out-File -FilePath "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" -Encoding ascii
Write-Host "Running: node enrollment"
chef-node-enrollment-cli enroll-node --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt"

Replace the following in the scripts above:

<SERVER_FQDN>: Enter the fully qualified domain name of your Chef 360 Platform server with protocol.
<COHORT_ID>: Enter the Cohort ID for your self node enrollment. Only use this variable in scripts where you see export COHORT_ID or the --cohortId flag. If the script doesn’t include these, you don’t need to specify a Cohort ID.
<SIGNED_CONFIG_FILE_CONTENTS>: Paste the contents of your signed-config file (provided with your application key rotate) between the quotes. This file contains the configuration required for node enrollment.

Note

To enroll nodes at scale using the self-enrollment feature, you can integrate the provided script into your provisioning workflow—whether as part of a startup routine, a golden image, or a configuration management process. Each node can securely identify itself and register with Chef 360 Platform automatically, without requiring manual steps. This method is ideal for dynamic or large-scale environments where automation, consistency, and scalability are essential.

Approve nodes after enrollment

If you set the approvalNeeded flag to true in your cohort, nodes enrolled in that cohort will have an enrollment level of waiting-for-approval. To admit these nodes, you need to approve them manually.

To manually approve a node, use the chef-node-management-cli management node approve-node command:

chef-node-management-cli management node approve-node \
  --nodeId <NODE_ID> \
  --profile <NODE_MANAGER_PROFILE_NAME>

After you approve the node, its enrollment level changes to admitted. Within a few minutes, the agent will retry, assign the correct roles to the node, and complete the enrollment process.