Skip to main content
Question

Wifi connectivity - Multiple Trusted Certificates

  • February 19, 2026
  • 3 replies
  • 97 views
aburrow007
Forum|alt.badge.img+4

Due to changes being made by our network team we’re required to deploy a new Trusted Root Certificate within our Wifi Configuration Profile.  DigiCert are changing Root Certificates.

What I’m encountering is even though I can successfully deploy the Certificate and Trust it within the Configuration Profile if I deploy more than one Root Certificate the Mac will not connect.

I’m hoping that I can deploy the new certificate without impacting the existing wifi connection before Networks make the backend change.

3 replies

Chubs
Forum|alt.badge.img+24
  • Chubs
  • Jamf Heroes
  • February 19, 2026

Are you going from MPKI8 on digicert to digicert one?

We just did that not too long ago. The root certs are IDENTICAL. Meaning you should be able to leave the roots and send out an issuing cert for whatever profile you have created in DC1.  Are you using something like ISE too on prem?  Is it signed with DC1 or no?
 

Let me know. I’d love to help!

I find your lack of faith disturbing
aburrow007
Forum|alt.badge.img+4
  • aburrow007
  • Author
  • Jamf Heroes
  • March 30, 2026

Chubs,

Thanks for reaching out.  With the constant changes being made by the Network and Security Teams.  Ultimately, I waited until the day of the change grabbed the Certificate tested and deployed instead of pre-deploying as they did for Windows.

Chubs
Forum|alt.badge.img+24
  • Chubs
  • Jamf Heroes
  • March 30, 2026

Chubs,

Thanks for reaching out.  With the constant changes being made by the Network and Security Teams.  Ultimately, I waited until the day of the change grabbed the Certificate tested and deployed instead of pre-deploying as they did for Windows.

The thing is, Windows can get a new cert and apply it in rotation to your Wifi configuration.

MacOS generates its certificate JIT after roots and issuing are on the device, you have to point your SCEP to the new server URL. When redeploying, that’s when the trust is chained up.   We predeployed our issuing certs as the roots were already there and then swapped the profile over at time of change.

Glad things worked for you though!

I find your lack of faith disturbing
Terms & ConditionsCookie settingsAccessibility statement