Script to connect New Certificate with existing WiFi profile

Njofrekk
New Contributor II

Hi guys,
In our environment we've got managed Macs that have Configuration Profile installed for a private WiFi Network that is authenticated through AD User Certificate. Config Profile is set up with both Network and AD Certificate payload.
Server responsible for that AD Cert is being decommissioned soon and we need to deploy new User Certificate from a new Server.
Idea was to push new Config Profile with new AD Certificate (without Network payload) and when the Cert is installed, push a script that would bind the existing WiFi network setup to the new AD Cert. In other words, force WiFi to use new cert instead of the old one.
We are currently exploring other ways of completing this task but I am very interested if it can be done this way.
Is there a command to pinpoint that particular certificate among others since both old and new certs have the same Common Name (that of the User)? They differ in Issuer Common Name and Private Key information, though.
Can it be done with script at all and if yes, I would appreciate your suggestions on how to do it?

5 REPLIES 5

Njofrekk
New Contributor II

Working on a script that will identify the old certificate and delete it. Will post a working script when I complete it and test it thoroughly.
I still have no idea how to automate the process when you try to connect to WiFi and it detects that the old Cert is missing and offers a list of certificates to choose from. How to automate it to choose the new Cert?

mm2270
Legendary Contributor III

I'm not 100% certain, but I believe what you're looking for is to create what's known as an identity preference in the keychain, which will pair the specific SSID to the certificate that it should use for connection/authentication.

I'd start by opening Terminal on your Mac and doing man security to look over the manpage for the security command, which is the utility you'd likely need to use for this task, even if its not an identity preference you need to create. If it is an identity preference, then the specific security command should be set-identity-preference

Post back if you need some additional help with this. Without knowing some more specifics on your setup, its hard to put together an example script here.

Njofrekk
New Contributor II

Yes! Thank you! This little clarification helped a lot. I've already studied security command but I've never looked at identity preference in such a way. I completely misunderstood what it meant. I'll work on implementing it into our script and post the results here. Probably after the holidays though.
Thank you again. :)

krausec
New Contributor II

Have you been able to resolve this issue?

mm2270
Legendary Contributor III

@krausec The basic idea is to do something like the following:

security set-identity-preference -c "$certname" -s "com.apple.network.eap.user.identity.wlan.ssid.$SSID" /Users/$username/Library/Keychains/login.keychain

The 3 variables in the above ($certname, $SSID, $username) need to either be dynamically obtained in the script or supplied in the script directly. $certname is of course the certificate that you're looking to create the identity to pair to the Wi-Fi hotspot for. $SSID is the Wi-Fi hotspot name, and $username is the name of the user account's login.keychain you're creating the identity in.

Hopes that helps get you on the right track.