Does anyone have a script or can anyone point me in the correct direction for scripting a way to remove a ton of duplicate certs from my machines?
Deploying RADIUS has caused me a real headache, and somehow a bunch of my machines pulled a new cert every single time the configuration profile was modified or redeployed. Now, my machines are confused? They prompt the user to enter a username/password or to choose which cert to use when connecting to our RADIUS SSID. I believe this is being caused by the many duplicates, though I may be (probably) wrong.
Does anyone have experience with this?
I'd greatly appreciate anyone's input on this.
The answer here lies in the
security utility, which lets you manipulate the user's keychain and certificates contained therein. However, this is difficult, as the keychain needs to be unlocked or you need the user's password. That's not always feasible.
Practically, there's probably an easier solution here. Are you handing out the SCEP or AD Cert instructions in a configuration profile? If so, are you also handing out the WiFi settings in the same profile, or a separate one? If you send both in the same profile, you can explicitly tell the WiFi settings to use the certificate received from the SCEP request for authentication.
Yes, but the opposite of what you said - put them in the same profile. When you have both a certificate and a WiFi payload, and you choose a WPA2 Enterprise EAP type that supports certificates, you'll see an "Identity Certificate" drop down with the option of "AD Certificate". Selecting that will tell the Mac to use the certificate it requests to authenticate to the WiFi network.
In a similar vein, be sure you configure upload the entire certificate trust chain for your RADIUS server under the trust tab. Failure to do so can cause clients to be prompted to trust the RADIUS server, even if the certificates it's using are otherwise explicitly trusted on the system.