802.1x certs not renewing

AVmcclint
Honored Contributor

Almost a year ago we implemented 802.1x wifi authentication NOT using Active Directory certs. The certificates all issue properly and work just fine with our WiFi authentication.

After we deployed the profiles and issued certs, I made sure this was set:

sudo defaults write /Library/Preferences/com.apple.mdmclient AutoRenewCertificatesEnabled -bool YES

Now that we are approaching the 1 year expiration of some of the first Macs to test this, we are expecting their certs to automatically renew, but they are not. I have a Mac with a computer cert expiration of Feb 9 - well within the default 14 day window for renewing - but it isn't renewing. Keychain Access still indicates that it expires Feb 9. There are no duplicate certs that would indicate a renewal. The Profiles system preferences does not have a renew or update button for the 802.1x profile. Here is what happens when I try to renew it manually with the profiles command:

profiles -verbose renew -type configuration -identifier CORRECT-PROFILE-IDENTIFIER-STRING

profiles: verbose mode ON
profiles: invalid option -- b
profiles: error: unknown argument passed in
fail
profiles: invalid option -- t
profiles: error: unknown argument passed in
fail
profiles: invalid option -- y
profiles: error: unknown argument passed in
fail
profiles: invalid option -- n
profiles: error: unknown argument passed in
fail
profiles: invalid option -- t
profiles: error: unknown argument passed in
fail
Error: You must provide an action. Use 'profiles help' for help, or use the man page.
profiles: returned error: 6
fail

I've looked through the man and help page but I cannot figure this out.  The earliest cert expiration is Feb 9, with a handful of testers shortly after that, then the general population. I'm running out of time. Does anyone have any tips on figuring this out?

5 REPLIES 5

AVmcclint
Honored Contributor

Turns out the -verbose argument on the profiles command was causing some of the problems, but it still won't renew.

% sudo profiles renew -type configuration -identifier CORRECT-PROFILE-IDENTIFIER-STRING 
Password:
{
    Changes =     (
    );
}
certificate renewal for profile: 'CORRECT-PROFILE-IDENTIFIER-STRING' returned 0 ((null))

 

AVmcclint
Honored Contributor

My initial test Mac did eventually renew with about 5 days to go before it completely expired. That is cutting it too close for comfort if you ask me. I have another bunch of test Macs about to expire in a week and none of them have renewed yet.  According to Apple's documentation, they should start attempting to renew at 14 days before expiration, but I'm not seeing that happen at all. These Macs are mostly running Monterey with I think 1 or 2 running Ventura. Does anyone have any tips for either forcing them to renew or at least point me to the log that will tell me why they aren't renewing?

mike_blasberg
New Contributor

Out of curiosity, did your Macs renew? Also, what CA are you utilizing?

AVmcclint
Honored Contributor

Our Macs are automatically renewing now on day 9 or 10 before expiration. So far they've all been successful when they cross that threshold and are online. We're using an internal CA, but from what I can tell there is nothing on the CA that is restricting it to the 9 or 10 day limit.

charliwest
Contributor II

Out of interest, there is a renew option built into the SCEP payload, is that not an option for some reason for you?