Extension attribute to show a certificate and expiry date

Question

I know of a cert that will be expiring on macs in the enviroment . The cert is user based and is called "username" only

I have an extension attribute which works beautifully, however it's only showing me a result from another cert called "username@somewhere.com" instead of the cert named "username"

Anyone know how I can ensure that the result is for the cert called "username" only ?

The EA is as follows

!/bin/bash

This extension attribute finds the expiry date of a certificate with the same name as the user account.

loggedInUser=/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'

Get Cert Expiry Date

certexpiry=sudo -H -u $loggedInUser bash -c "security find-certificate -c $loggedInUser -p" | openssl x509 -text| grep "Not After :"| awk '{print $7"-"$4"-"$5}'

echo "<result>$certexpiry</result>"

KSchroeder · Answer

Your code works for me...but I don't have another cert with username@company.com, just my default cert (my others use my full email address). Can you try using -a -c in the security command? -a finds all matches, whereas by default it only gets the first one. Or maybe there is a way to specify an EOF or null-termination that you could append to the $loggedInUser so it will only match that userid specifically, and not wildcard it (which sounds like what is happening). Also, in yoru awk print, add "$loggedInUser - " before the $7 maybe so you can see the actual user name, and/or also include the cert name....
Another idea; do the Key Usage attributes or EKU properties maybe differ between username and username@somewhere.com? Maybe you could filter on that, or the Issuer: field in teh cert property...

!/bin/bash

This extension attribute finds the expiry date of a certificate with the same name as the user account.

Get Cert Expiry Date

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded