Node self enrollment
Node self enrollment is a client-side enrollment method that allows nodes to register themselves with Chef 360 Platform. This method works well for environments that follow zero trust principles or manage dynamic infrastructure like autoscaling cloud nodes. Self enrollment doesn’t require open ports or pre-established connections, making it both secure and flexible.
Self enrollment fully enrolls nodes.
Enroll nodes at scale
You can integrate the self-enrollment scripts into your provisioning workflow for large-scale deployments. Use the script as part of a startup routine, golden image, or configuration management process. Each node can securely identify itself and register with Chef 360 Platform automatically without manual steps. This approach works well for dynamic or large-scale environments where automation, consistency, and scalability are essential.
Node self enrollment steps
To enroll nodes with self enrollment, follow these steps:
- If you don’t already have one, create an application key and signed config file. They allow the node to enroll with Chef 360 Platform.
- Enroll the node.
- If the cohort requires it, approve nodes after enrollment.
Enroll nodes
Understand self enrollment scenarios
The enrollment scripts below enroll nodes in the following scenarios:
The cohort that the node is enrolled into is defined:
- by the application key stored on Chef 360 Platform
- in the PowerShell or Shell script executed on the node
Chef 360 Platform is configured with the following gateway certificate methods:
- Disabled (http)
- System generated (self-signed certificate)
- Custom certificate (self-signed or public certificate)
Enroll Linux nodes
To enroll your Linux nodes, select the script below that matches your application key and gateway certificate method and execute it on your node. Execute these commands as a root user.
- Cohort defined in shell script, 360 Platform authenticates with self-signed certificate
This script enrolls Linux nodes into a cohort that’s defined in the script by its UUID and with Chef 360 Platform configured to authenticate with a self-signed certificate.
###### # Script enrolls nodes in cohort defined in script and authenticates with Chef 360 Platform using self-signed certs # # Replace: # - `<SERVER_FQDN>` with the fully qualified domain name of your Chef 360 Platform Server with protocol. # For example, `https://chef360.example.com` or `https://chef360.example.com:31000`. # - `<SIGNED_CONFIG_FILE_CONTENTS>` with the contents of your signed config file. # - `<COHORT_ID>` with the Cohort ID for your self node enrollment. ###### export SERVER="<SERVER_FQDN>" curl -sk "$SERVER/platform/bundledtools/v1/static/install.sh" | TOOL="chef-node-enrollment-cli" SERVER="$SERVER" VERSION="latest" bash - echo "<SIGNED_CONFIG_FILE_CONTENTS>" > /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt export COHORT_ID="<COHORT_ID>" echo "Running: node enrollment" if [[ "$SERVER" =~ :[0-9]+$ ]]; then chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt --insecure else chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt --insecure > /dev/null || true export Filename="/opt/chef-360/chef-node-enrollment-cli/node-enrollment-details.yml" if [[ "$SERVER" == https* ]]; then sed -i "s|$SERVER|$SERVER:443|g" "$Filename" else sed -i "s|$SERVER|$SERVER:80|g" "$Filename" fi chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt --insecure fiReplace the following:
<SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example,https://chef360.example.comorhttps://chef360.example.com:31000.<COHORT_ID>: with the Cohort ID for your self node enrollment.<SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.
- Cohort defined in shell script, 360 Platform uses http or authenticates with public certificate
This script enrolls Linux nodes into a cohort that’s defined in the script by its UUID and with Chef 360 Platform configured to authenticate with a public certificate or with authentication disabled.
###### # Script enrolls nodes in cohort defined in script and authenticates with Chef 360 Platform using public certs or http # # Replace: # - `<SERVER_FQDN>` with the fully qualified domain name of your Chef 360 Platform Server with protocol. # For example, `https://chef360.example.com` or `https://chef360.example.com:31000`. # - `<SIGNED_CONFIG_FILE_CONTENTS>` with the contents of your signed config file. # - `<COHORT_ID>` with the Cohort ID for your self node enrollment. ###### export SERVER="<SERVER_FQDN>" curl -sk "$SERVER/platform/bundledtools/v1/static/install.sh" | TOOL="chef-node-enrollment-cli" SERVER="$SERVER" VERSION="latest" bash - echo "<SIGNED_CONFIG_FILE_CONTENTS>" > /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt export COHORT_ID="<COHORT_ID>" echo "Running: node enrollment" if [[ "$SERVER" =~ :[0-9]+$ ]]; then chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt else chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt > /dev/null || true export Filename="/opt/chef-360/chef-node-enrollment-cli/node-enrollment-details.yml" if [[ "$SERVER" == https* ]]; then sed -i "s|$SERVER|$SERVER:443|g" "$Filename" else sed -i "s|$SERVER|$SERVER:80|g" "$Filename" fi chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt fiReplace the following:
<SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example,https://chef360.example.comorhttps://chef360.example.com:31000.<COHORT_ID>: with the Cohort ID for your self node enrollment.<SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.
- Cohort defined by application key, 360 Platform authenticates with self-signed certificate
This script enrolls Linux nodes into a cohort that’s defined by the application key and with Chef 360 Platform configured to authenticate with a self-signed certificate.
###### # Script enrolls nodes in cohort defined by application key and authenticates with Chef 360 Platform using self-signed certs # # Replace: # - `<SERVER_FQDN>` with the fully qualified domain name of your Chef 360 Platform Server with protocol. # For example, `https://chef360.example.com` or `https://chef360.example.com:31000`. # - `<SIGNED_CONFIG_FILE_CONTENTS>` with the contents of your signed config file. ###### export SERVER="<SERVER_FQDN>" curl -sk "$SERVER/platform/bundledtools/v1/static/install.sh" | TOOL="chef-node-enrollment-cli" SERVER="$SERVER" VERSION="latest" bash - echo "<SIGNED_CONFIG_FILE_CONTENTS>" > /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt echo "Running: node enrollment" if [[ "$SERVER" =~ :[0-9]+$ ]]; then chef-node-enrollment-cli enroll-node --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt --insecure else chef-node-enrollment-cli enroll-node --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt --insecure > /dev/null || true export Filename="/opt/chef-360/chef-node-enrollment-cli/node-enrollment-details.yml" if [[ "$SERVER" == https* ]]; then sed -i "s|$SERVER|$SERVER:443|g" "$Filename" else sed -i "s|$SERVER|$SERVER:80|g" "$Filename" fi chef-node-enrollment-cli enroll-node --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt --insecure fiReplace the following:
<SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example,https://chef360.example.comorhttps://chef360.example.com:31000.<SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.
- Cohort defined by application key, 360 Platform uses http or authenticates with public certificate
This script enrolls Linux nodes into a cohort that’s defined by the application key and with Chef 360 Platform configured to authenticate with a public certificate or with authentication disabled.
###### # Script enrolls nodes in cohort defined by application key and authenticates with Chef 360 Platform using public certs or http # # Replace: # - `<SERVER_FQDN>` with the fully qualified domain name of your Chef 360 Platform Server with protocol. # For example, `https://chef360.example.com` or `https://chef360.example.com:31000`. # - `<SIGNED_CONFIG_FILE_CONTENTS>` with the contents of your signed config file. ###### export SERVER="<SERVER_FQDN>" curl -sk "$SERVER/platform/bundledtools/v1/static/install.sh" | TOOL="chef-node-enrollment-cli" SERVER="$SERVER" VERSION="latest" bash - echo "<SIGNED_CONFIG_FILE_CONTENTS>" > /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt echo "Running: node enrollment" if [[ "$SERVER" =~ :[0-9]+$ ]]; then chef-node-enrollment-cli enroll-node --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt else chef-node-enrollment-cli enroll-node --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt > /dev/null || true export Filename="/opt/chef-360/chef-node-enrollment-cli/node-enrollment-details.yml" if [[ "$SERVER" == https* ]]; then sed -i "s|$SERVER|$SERVER:443|g" "$Filename" else sed -i "s|$SERVER|$SERVER:80|g" "$Filename" fi chef-node-enrollment-cli enroll-node --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt fiReplace the following:
<SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example,https://chef360.example.comorhttps://chef360.example.com:31000.<SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.
Enroll Windows nodes
To enroll your Windows nodes, select the script below that matches your application key and gateway certificate method and execute it on your node. Execute these commands in Powershell with administrator privileges.
- Cohort defined in PowerShell script, 360 Platform authenticates with self-signed certificate
This script enrolls Windows nodes into a cohort that’s defined in the PowerShell script by its UUID and with Chef 360 Platform configured to authenticate with a self-signed certificate.
<# .SYNOPSIS Enrolls a Windows node into a Chef 360 Platform cohort using self-signed certificate authentication. .NOTES Before running this script, replace the following placeholders: - <SERVER_FQDN>: The fully qualified domain name of your Chef 360 Platform Server with protocol Examples: https://chef360.example.com or https://chef360.example.com:31000 - <COHORT_ID>: The UUID of the cohort for self node enrollment - <SIGNED_CONFIG_FILE_CONTENTS>: The complete contents of your signed configuration file #> $code= @" using System.Net; using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) { return true; } } "@ Add-Type -TypeDefinition $code -Language CSharp [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls13 $SERVER="<SERVER_FQDN>" $env:TOOL="chef-node-enrollment-cli"; $env:SERVER="$SERVER"; Invoke-WebRequest -Uri "$SERVER/platform/bundledtools/v1/static/install.ps1" -UseBasicParsing | Invoke-Expression "<SIGNED_CONFIG_FILE_CONTENTS>" | Out-File -FilePath "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" -Encoding ascii #Set CohortId $COHORT_ID="<COHORT_ID>" Write-Host "Running: node enrollment" if ($SERVER -match ":\d+$") { chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" --insecure } else { chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" --insecure *> $null $Filename="C:\Users\Administrator\chef-360\chef-node-enrollment-cli\node-enrollment-details.yml" if ($SERVER -like "https*") { (Get-Content $Filename) -replace ([regex]::Escape($SERVER)), ($SERVER + ":443") | Set-Content $Filename } else { (Get-Content $Filename) -replace ([regex]::Escape($SERVER)), ($SERVER + ":80") | Set-Content $Filename } chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" --insecure }Replace the following:
<SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example,https://chef360.example.comorhttps://chef360.example.com:31000.<COHORT_ID>: with the Cohort ID for your self node enrollment.<SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.
- Cohort defined in PowerShell script, 360 Platform uses http or authenticates with public certificate
This script enrolls Windows nodes into a cohort that’s defined in the PowerShell script by its UUID and with Chef 360 Platform configured to authenticate with a public certificate or with authentication disabled.
<# .SYNOPSIS Enrolls a Windows node into a Chef 360 Platform cohort using UUID-based enrollment with public certificates. .NOTES Before running this script, replace the following placeholders: - <SERVER_FQDN>: The fully qualified domain name of your Chef 360 Platform Server with protocol Examples: https://chef360.example.com or https://chef360.example.com:31000 - <COHORT_ID>: The UUID of the cohort for self node enrollment - <SIGNED_CONFIG_FILE_CONTENTS>: The complete contents of your signed configuration file #> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls13 $SERVER="<SERVER_FQDN>" $env:TOOL="chef-node-enrollment-cli"; $env:SERVER="$SERVER"; Invoke-WebRequest -Uri "$SERVER/platform/bundledtools/v1/static/install.ps1" -UseBasicParsing | Invoke-Expression "<SIGNED_CONFIG_FILE_CONTENTS>" | Out-File -FilePath "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" -Encoding ascii # Set CohortId $COHORT_ID="<COHORT_ID>" Write-Host "Running: node enrollment" if ($SERVER -match ":\d+$") { chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" } else { chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" *> $null $Filename="C:\Users\Administrator\chef-360\chef-node-enrollment-cli\node-enrollment-details.yml" if ($SERVER -like "https*") { (Get-Content $Filename) -replace ([regex]::Escape($SERVER)), ($SERVER + ":443") | Set-Content $Filename } else { (Get-Content $Filename) -replace ([regex]::Escape($SERVER)), ($SERVER + ":80") | Set-Content $Filename } chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" }Replace the following:
<SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example,https://chef360.example.comorhttps://chef360.example.com:31000.<COHORT_ID>: with the Cohort ID for your self node enrollment.<SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.
- Cohort defined in application key, 360 Platform authenticates with self-signed cert
This script enrolls Windows nodes into a cohort that’s defined by the application key and with Chef 360 Platform configured to authenticate with a self-signed certificate.
<# .SYNOPSIS Enrolls a Windows node into a Chef 360 Platform cohort using application key authentication with self-signed certificate support. .NOTES Before running this script, replace the following placeholders: - <SERVER_FQDN>: The fully qualified domain name of your Chef 360 Platform Server with protocol Examples: https://chef360.example.com or https://chef360.example.com:31000 - <SIGNED_CONFIG_FILE_CONTENTS>: The complete contents of your signed configuration file #> $code= @" using System.Net; using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) { return true; } } "@ Add-Type -TypeDefinition $code -Language CSharp [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls13 $SERVER="<SERVER_FQDN>" $env:TOOL="chef-node-enrollment-cli"; $env:SERVER="$SERVER"; Invoke-WebRequest -Uri "$SERVER/platform/bundledtools/v1/static/install.ps1" -UseBasicParsing | Invoke-Expression "<SIGNED_CONFIG_FILE_CONTENTS>" | Out-File -FilePath "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" -Encoding ascii Write-Host "Running: node enrollment" if ($SERVER -match ":\d+$") { chef-node-enrollment-cli enroll-node --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" --insecure } else { chef-node-enrollment-cli enroll-node --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" --insecure *> $null $Filename="C:\Users\Administrator\chef-360\chef-node-enrollment-cli\node-enrollment-details.yml" if ($SERVER -like "https*") { (Get-Content $Filename) -replace ([regex]::Escape($SERVER)), ($SERVER + ":443") | Set-Content $Filename } else { (Get-Content $Filename) -replace ([regex]::Escape($SERVER)), ($SERVER + ":80") | Set-Content $Filename } chef-node-enrollment-cli enroll-node --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" --insecure }Replace the following:
<SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example,https://chef360.example.comorhttps://chef360.example.com:31000.<SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.
- Cohort defined in application key, 360 Platform uses http or authenticates with public certificate
This script enrolls Windows nodes into a cohort that’s defined by the application key and Chef 360 Platform is configured to authenticate with a public certificate or with authentication disabled.
<# .SYNOPSIS Enrolls a Windows node into a Chef 360 Platform cohort using application key authentication with public certificates. .NOTES Before running this script, replace the following placeholders: - <SERVER_FQDN>: The fully qualified domain name of your Chef 360 Platform Server with protocol Examples: https://chef360.example.com or https://chef360.example.com:31000 - <SIGNED_CONFIG_FILE_CONTENTS>: The complete contents of your signed configuration file #> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls13 $SERVER="<SERVER_FQDN>" $env:TOOL="chef-node-enrollment-cli"; $env:SERVER="$SERVER"; Invoke-WebRequest -Uri "$SERVER/platform/bundledtools/v1/static/install.ps1" -UseBasicParsing | Invoke-Expression "<SIGNED_CONFIG_FILE_CONTENTS>" | Out-File -FilePath "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" -Encoding ascii Write-Host "Running: node enrollment" if ($SERVER -match ":\d+$") { chef-node-enrollment-cli enroll-node --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" } else { chef-node-enrollment-cli enroll-node --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" *> $null $Filename="C:\Users\Administrator\chef-360\chef-node-enrollment-cli\node-enrollment-details.yml" if ($SERVER -like "https*") { (Get-Content $Filename) -replace ([regex]::Escape($SERVER)), ($SERVER + ":443") | Set-Content $Filename } else { (Get-Content $Filename) -replace ([regex]::Escape($SERVER)), ($SERVER + ":80") | Set-Content $Filename } chef-node-enrollment-cli enroll-node --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" }Replace the following:
<SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example,https://chef360.example.comorhttps://chef360.example.com:31000.<SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.
Manually approve nodes after enrollment
If you set the approvalNeeded flag to true in your cohort, enrolled nodes will have an enrollment level of waiting-for-approval.
You must approve these nodes manually before they can complete enrollment.
To approve a node manually, run the chef-node-management-cli management node approve-node command:
chef-node-management-cli management node approve-node \ --nodeId <NODE_ID> \ --profile <NODE_MANAGER_PROFILE_NAME>
After you approve the node, its enrollment level changes to admitted. Within a few minutes, the agent will retry, assign the correct roles to the node, and complete the enrollment process.