Certificate Renewal?

Not applicable

Hello my fellow JAMF gurus,

SCENARIO:
When a user in our company changes their password the wrong way - the whole key chain becomes messed up and they keep getting 'local item key chain' pop-ups when they try to open/launch an app.

Then they call us , IT guys, to fix it. What we normally do is go to the users hidden 'Library-> Keychains' and clear out/delete everything in that folder. Then we restart the MAC and the user is all fixed.

The issue is that, when we clear the 'Keychain' folder, it also deletes the users certificate in which they need to connect to our VPN and Wi-Fi.
So now, after we clear -> restart the mac, we have to go thru the whole process of creating a new certificate.

The process we use to create a new cert for the users is as follows:
open keychain.app -> keychain access -> certificate assistant -> request new certificate from CA -> fill in the info -> then it generates a code -> then we copy & paste the code into the certificate website -> then download the new cert and install it.

This also has to be done for new hires & freelancers & interns & re-images & so on......

QUESTION:
Is there any way I can create a config. profile/script that I can run to automate this whole ' create a new cert' process after we clear -> restart the users mac?

3 REPLIES 3

ooshnoo
Valued Contributor

What password changing method do you consider to be the "wrong way"?

We tackled similar issues by creating a config profile installable via Self Service that reaches out to our CA and requests a cert using the SCEP protocol.

Not applicable

well... not sure its the wrong way, but its not the way our company wants us to do it.
users are supposed to wait until their passwords expire, put in a new password at login, then choose "update Keychain"
but they sometimes choose "create a new keychain", which then messes everything up, and we have to do the cert process agian.

What did you put in the config profile?

ooshnoo
Valued Contributor

@vferra Use the SCEP payload and fill in the appropriate variables for environment. This would of course require your CA to support the issuance of certs via SCEP. We use a Windows 2016 CA.