Skip to main content
Question

Computer cert being auto deleted from keychain

  • October 27, 2021
  • 5 replies
  • 56 views
D
Forum|alt.badge.img+2

When binding Macs to our domain we will import a computer cert so that the users Mac will be able to connect to our VPN and enterprise connect (can't do so without this cert). I have a user who is having this cert get auto removed from keychain and thus making him unable to connect to internal resources when working remotely. The cert that we import comes from our CA and is verified upon being imported.

My question is, is there a way I can look and see how/why this cert was removed?

    5 replies

    L
    Forum|alt.badge.img+9
    • LovelessinSEA
    • Valued Contributor
    • October 27, 2021

    What is the scoping you're using for the configuration profile that has the AD certificate payload? I ran into this early on if the machine fell out of scope and the profile was removed, it removed the cert too. 

    D
    Forum|alt.badge.img+2
    • DEllis05
    • Author
    • New Contributor
    • October 27, 2021

    What is the scoping you're using for the configuration profile that has the AD certificate payload? I ran into this early on if the machine fell out of scope and the profile was removed, it removed the cert too. 


    Scope is set to all computers. I even double checked the expiration date and it is set to 3/2025. 

    szultzie
    Forum|alt.badge.img+10
    • szultzie
    • Valued Contributor
    • May 25, 2022

    im seeing the same issue in our environment, @DEllis05 have you had any luck finding the cause, and a solution?

    S
    Forum|alt.badge.img+3
    • Sylvain
    • New Contributor
    • July 9, 2024

    im seeing the same issue in our environment, @DEllis05 have you had any luck finding the cause, and a solution?


    We have the same problem in our environment. We also use the AD certificate payload. Sometimes the AD certificate as well as the configuration profile gets deleted. We have observed this problem whether the configuration profile is pushed via MDM features or installed manually. The protocol used by our CA server is RPC. Have you managed to resolve this issue?

    Sylvain

    Jack-AT
    Forum|alt.badge.img+1
    • Jack-AT
    • New Contributor
    • November 20, 2025

    Hello
    I think I was able to identify the likely cause. A few devices removed their certificates from the keychain after I changed the scope a few days ago. The new smart group adds all devices whose device name matches a specific pattern and that do not have a certificate starting with a defined name. I have now removed this scope, so this behavior should stop. I will update you as soon as I have the results.

    Best
    Jack

    Terms & ConditionsCookie settingsAccessibility statement