Renewing certificates for 802.1x

bbot
Contributor

Currently we have a Casper configuration policy that downloads the necessary certificates to get on our Wifi network at a user level.

Our certificates are expiring soon and we're looking for a way to have them auto-renew.

I've tried running a script using the profiles command, but it requires local admin access to import into the keychain. How have some of you handled renewing of certificates?

7 REPLIES 7

nessts
Valued Contributor II

do it as a profile you will probably find that much easier.

bbot
Contributor

I do have a configuration profile that triggers during the first login for the user. How would I configure the profile to activate again at login 2 before the cert expires?

nessts
Valued Contributor II

when you make changes to a configuration profile it then asks you what machines you want to distribute it to, i would choose distribute to all.

bbot
Contributor

I tried making a change by adding require a password and then removing it to see if it will be invoke a "distribute to all devices" but I'm not getting that message. Appears to just save.

I can edit another configuration profile and it'll give me the prompt to distribute to all devices or only new devices. Is there a setting I'm missing?

bentoms
Release Candidate Programs Tester

@brandobot that won't trigger a change as the end profile is the same.

Have you a new cert? Add that & then you should be able to push.

bbot
Contributor

@bentoms not yet, but as soon as I get it, I will give it a try.

Thanks all!

AVmcclint
Honored Contributor

I've been trying to figure out how this is supposed to be done. We have AD Certs being issued with our 802.1x policy and when the certs get within 14 days of expiring a year later, users are notified that the cert is about to expire. When users go to System Preferences > Profiles and click on the 802.1x profile, there's an Update button they can click. The problem is that it doesn't actually RENEW the existing cert. It requests a new cert from our CA server. After it completes the "update", the computer then has 2 certificates named the same thing (the computer name). One that is expired and one that is new. Depending on what the user's actions are in their daily work, they may be prompted to choose which certificate to use but since both are named exactly the same, they don't know what to do. I end up having to go into Keychain Access to locate the expired cert and manually delete it.

Surely there's a better method of handling certificate renewals. Windows users don't have to deal with any of that garbage. The certs automatically renew and there's no confusion.