Automatically renewing SCEP certificates.

glutz
New Contributor III

This is a hidden feature that was worked in last summer but currently if you do not include CN=$PROFILE_IDENTIFIER in the subject name for the certificate your certificate will expire and never renew. When you add CN=$PROFILE_IDENTIFIER to the subject name then click on General mandatory you will have an option below Level computer/user drop down that appears "Redeploy Profile". This is how frequent it will redeploy the profile which will delete the existing Certificate and deliver a new certificate.

One thing to consider is like in our environment you have to be on the network to see our CA. So I have our profile scoped to all computer but they have to be on networks that have access to the CA. This way if they do not have access to the network it doesn't remove the certificate leaving the user unable to connect to our VPN solution.

1 ACCEPTED SOLUTION

glutz
New Contributor III

Update. This is no longer needed when upgrading to JSS version 9. It is a built in function.

View solution in original post

3 REPLIES 3

glutz
New Contributor III

Just as a side note. If you would like to still control the name of the cert and the private key you can use CN more then once in the subject name.

Example:
CN=<mycertname>,CN=$PROFILE_IDENTIFIER,CN=<myprivatekeyname>,O=<myorgname>

It has to be in this order or it will give you a random number for the cert or the key.

wangl2
Contributor

Hi Glutz,
I have tested your theory and it works! Thank you very much for sharing. I have used "CN=$COMPUTERNAME, CN=$PROFILE_IDENTIFIER, CN=MYCOMPANY, CN=COM" and it returned a valid certificate from my SCEP. My next question is what to use for the iOS? I tried different varibles for iPad and none of them seems working.
Do you have a email address I can contact?
Thank you very much!

glutz
New Contributor III

Update. This is no longer needed when upgrading to JSS version 9. It is a built in function.