Delete expired certificates from Keychain

gg-chrisd
New Contributor

Hi,

We have a Configuration Profile pushing out our WiFi settings with certs currently, but recently the first batch started expiring. They get renewed, no problem, but the expired cert is left in the keychain.

I'm trying to script the removal of them using the following script, so they can't be selected for the wireless profile.

#!/bin/bash

# Grabs the expired certificate hashes
expired=$(security find-identity | grep EXPIRED | awk '{print $2}')

# Check for certs

if [ -z "$expired" ]
    then
        echo "No expired certificates, we're all good"
    else
    # Deletes the expired certs via their hash
    echo "Deleting expired certs"
    security delete-certificate -Z $expired
    fi

exit 0 #success

If I run these commands locally on the machine, then it works no problem, but via a policy it always fails with:

'Unable to delete certificate matching "XXXXXXXX..."

Any thoughts? Is there a better way to manage certificates for WiFi profiles?

Thanks
Chris

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

There is probably a more efficient way to do this honestly, but I generally do not need to deal with removing expired certs, plus we don't deploy them in the way you describe. So I don't think I can offer much advice there.

But to answer your question, the security command operates on the keychain of the account running the command by default, unless you specify a different keychain, OR, you run the entire command as the current user. Scripts running from Jamf Pro policies run as root, so the error is likely because it could not find and/or delete the keychain from the root account keychain, since that's not where it lives I'm assuming.

View solution in original post

5 REPLIES 5

mm2270
Legendary Contributor III

There is probably a more efficient way to do this honestly, but I generally do not need to deal with removing expired certs, plus we don't deploy them in the way you describe. So I don't think I can offer much advice there.

But to answer your question, the security command operates on the keychain of the account running the command by default, unless you specify a different keychain, OR, you run the entire command as the current user. Scripts running from Jamf Pro policies run as root, so the error is likely because it could not find and/or delete the keychain from the root account keychain, since that's not where it lives I'm assuming.

r0blee
New Contributor III

I would agree with mm2270. It's most likely that you're hitting the wrong keychain. Are the certificates installed into the the user's keychain or the system keychain?

If you know who the users are on a machine or the current user (both easily obtained in a script) then you could do a:

su {currentUser} -c "{your command here}"

This will run the command as that user so if it is in their keychain you should be able to get it. Hopefully that helps in some way.

Rob

gg-chrisd
New Contributor

Cheers guys, looks like that was the issue. Adding /Library/Keychains/System.keychain to the end of the final command seems to have fixed the issue. Thanks for the help.

jontowles
New Contributor

This script works nicely but needs to be fixed a bit. It works great if it’s just one certificate but if it’s multiple you have to run it multiple times.

It probably needs some logic to iterate through and the variable to store multiple values

ravinderss129
New Contributor
I have modify the script and used a loop to delete all expired certificate using user
USER=$(dscl . list /Users | grep -v '_\|nobody\|daemon\|root' | tail -n 1) 




# Grabs the expired certificate hashes

expired=$(security find-identity | grep EXPIRED | awk '{print $2}')




# Grabs the expired certificate hashes

expired=$(security find-identity | grep EXPIRED)

# Check for certs

if [ -z "$expired" ]

    then

        echo "No expired certificates, we're all good"

    else

    # Deletes the expired certs via their hash

    echo "Deleting expired certs"

   # security delete-certificate -Z $expired

for i in $(security find-identity | grep EXPIRED | awk '{print $2}')

do

su $USER -c "security delete-certificate -Z $i"

done

    fi