Help

Extension attribute to show a certificate and expiry date

JAMF_Kev
New Contributor

Posted on ‎02-01-2017 07:33 AM

I know of a cert that will be expiring on macs in the enviroment . The cert is user based and is called "username" only

I have an extension attribute which works beautifully, however it's only showing me a result from another cert called "username@somewhere.com" instead of the cert named "username"

Anyone know how I can ensure that the result is for the cert called "username" only ?

The EA is as follows

!/bin/bash

This extension attribute finds the expiry date of a certificate with the same name as the user account.

loggedInUser=/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'

Get Cert Expiry Date

certexpiry=sudo -H -u $loggedInUser bash -c "security find-certificate -c $loggedInUser -p" | openssl x509 -text| grep "Not After :"| awk '{print $7"-"$4"-"$5}'

echo "<result>$certexpiry</result>"

0 Kudos
Reply
2 REPLIES 2

KSchroeder
Contributor

Posted on ‎02-02-2017 06:43 AM

Your code works for me...but I don't have another cert with username@company.com, just my default cert (my others use my full email address). Can you try using -a -c in the security command? -a finds all matches, whereas by default it only gets the first one. Or maybe there is a way to specify an EOF or null-termination that you could append to the $loggedInUser so it will only match that userid specifically, and not wildcard it (which sounds like what is happening). Also, in yoru awk print, add "$loggedInUser - " before the $7 maybe so you can see the actual user name, and/or also include the cert name....
Another idea; do the Key Usage attributes or EKU properties maybe differ between username and username@somewhere.com? Maybe you could filter on that, or the Issuer: field in teh cert property...

0 Kudos
Reply

KSchroeder
Contributor

Posted on ‎02-02-2017 06:48 AM

Or one other idea...check that the end of the Subject: property = $loggedInUser. In my environment at least (using MS PKI) they match (though case may be different).

0 Kudos
Reply