Updating 802.1X wifi profile Trusted Certificate

Xenophontos
New Contributor II

Hi All,

The trusted certificate is due expire soon, could anyone suggest the best way to deal with updating the current profile. Laptops requiring this update had been imaged with the wifi profile installed and I'm not quite sure on how to proceed with this update.

Any suggestions will be greatly appreciated

Andrew Xenophontos
IT Support
Moriah College
E | axenophontos@moriah.nsw.edu.au T | 02 93751721

5 REPLIES 5

alexjdale
Valued Contributor III

Which operating system? Snow Leopard and Lion handle 802.1x quite differently.

For Lion, it would be a matter of removing the old configuration profile and installing the new one. If the certificate is the same for each system that can simply be embedded in the profile (I think), or the profile can be configured to request a new one from your CA (which is how we do it). This is relatively easy to script at the command line and can be packaged up cleanly. You may need to have the user change their keychain entries for wifi though, depending on your configuration.

For Snow Leopard, I would find out how the profile was set up originally. We use a fairly complex script to create the profile and request the certificate/embed it along with the chain certs. If it was created by hand as part of a master image, this will be trickier. In my case, it's a simple matter of tweaking the payload/CA info in the script and re-running it, it just overwrites the old profile.

I am in the middle of a similar scenario myself.

rmanly
Contributor III

This is from a pkg I made when ours expired for 10.6, preflight does some clean-up in Airport settings and gets rid of the expired cert.

Post-flight imports the 8021x.networkConnect file from Network Preferences which was exported with the Certs. intact and put down as the payload of the pkg.

#!/bin/bash
## preflight
##
## Not supported for flat packages.

user_profiles=()

networksetup -setairportpower en1 off

networksetup -deletesystemprofile Airport

networksetup -removeallpreferredwirelessnetworks en1

while read; do
    user_profiles+=("$REPLY")
done < <(networksetup -listalluserprofiles)

if [[ "${#user_profiles[@]}" -ge 1 ]]; then
    for profile in "${user_profiles[@]}"; do
        networksetup -deleteuserprofile "${profile}"
    done
fi

security delete-certificate -c '*.glenbrook225.org'

exit 0      ## Success
exit 1      ## Failure
#!/bin/bash
## postflight
##
## Not supported for flat packages.

networksetup -import8021xProfiles Airport /8021x_new.networkConnect

sleep 3

networksetup -setairportpower en1 on

sleep 3

rm /8021x_new.networkConnect

exit 0      ## Success
exit 1      ## Failure

Xenophontos
New Contributor II

Alex and Ryan, I apprecite your advice;

All my namaged clients run on 10.7.2, the certificate due to expire is embeded. Alex can you please expand on your method of configuring the existing profile to request new cert from CA?

Kind Regards,
Andrew

alexjdale
Valued Contributor III

If you are using the same certificate for all systems, then I would just create a new configuration profile with the same settings and the new cert. Removing the old profile and installing the new one should do the trick.

Our configuration profile is configured to request a unique cert when it is installed (and also removes it from the system keychain when the profile is uninstalled), but this method also requires the user to store information on their login keychain (which may need to be updated to utilize the new cert).

mgrev
New Contributor

Hello rmanly
could you please tell me how exactly you create a package like this with the payload file? Do you just drag n drop the .networkconnect file (which has the wifi certificate) onto the Composer's left-side pane and then complie the preflight & postflight scripts along with that? Is that all I have to do?