Computer-level AD Certificate Auto Renewal

Kumarasinghe
Valued Contributor

We have AD Certificate Payload configured in Configuration Profiles to get the computer level AD certificates and it works fine.

Now I'm thinking about a strategy for renewal of the certs.

As far as i know, the certificate will not get renewed automatically when it is nearing expiration.

Does anyone have a workflow of getting the AD certs renewed automatically?

Thanks.

8 REPLIES 8

bentoms
Release Candidate Programs Tester

I think, if you renew the CA Cert.. Then any Certs signed by it become signed until the CA cert expires.

(Our CA Cert expires annually).

alexjdale
Valued Contributor III

You could modify your CSR process to also write the cert issue date to a plist file as a sortable integer (yyyymmdd) and then read that into an extension attribute via an algorithm that transforms it to the number of days since the cert was issued (basically, cert age). With that, you could create a smart group/policy that automatically renews the cert of a system that is >335 days old, or something along those lines.

I am sure there is a better way to do it, but that is what I came up with off the top of my head.

lisacherie
Contributor II

You can read the expiry date similar to the following:
$ security find-certificate -c certificatename -p -Z pathtokeychain | openssl x509 -noout -enddate
notAfter=Nov 18 17:38:14 2014 GMT

Then massage the output to create an extension attribute, then a smart group for x days left.

From there i'm not quite sure the best way to have the profiles renewed.. I know this will do it but seems a sledgehammer approach. I'm working the same problem at the moment. So ideas appreciated!

jamf removemdmprofile
jamf mdm
jamf manage

alexjdale
Valued Contributor III

I like to make everything into packages, and our 802.1x provisioning package removes the old configuration profile (which removes the old cert from the keychain automatically) and then installs the new one with the new cert. That decouples your process from any proprietary JSS actions: no matter how the package gets installed, the end result is the same.

Kumarasinghe
Valued Contributor

@ lisacherie

Thanks for your idea.
I have created a script which uses the command you given and convert it to Casper time format.

What about expired certs?
If the expired cert is still in the Keychain, it will always read it instead of the new one in my testing.

lisacherie
Contributor II

If the old certificate is still in the keychain and was placed there by a profile. Removing the profile has also removed the certificate here.

Alternatively you could manually delete the certificate as part of the script. You could use the security command with delete-certificate option.

Would you mind sharing your script? I need to tackle this soon, still haven't decided which way I'll go, appreciate the suggestions and discussion.

Kumarasinghe
Valued Contributor

sure.

#!/bin/sh

certexpdate=$(/usr/bin/security find-certificate -c "certificatename" -p -Z "/Library/Keychains/System.keychain" | /usr/bin/openssl x509 -noout -enddate| cut -f2 -d=)

dateformat=$(/bin/date -j -f "%b %d %T %Y %Z" "$certexpdate" "+%Y-%m-%d %H:%M:%S")

echo "<result>$dateformat</result>"

This is a very basic EA shell script. Need to apply some logic to identify dates if the computer has multiple certs (active ones and expired ones), etc...

Kumarasinghe
Valued Contributor

@ lisacherie

Have you implemented anything in regarding to cert expiry detection and renewal?
If yes I would like to have some more information on this.

Thanks