Help

How to Delete Expired Certificates in System Keychain

myers022
New Contributor II

Posted on ‎09-05-2023 01:44 PM

We've encountered an issue related to expired Wi-Fi certificates interfering with Kerberos and SmartCard logins, despite not utilizing SmartCards in our setup. Oddly, Kerberos perceives our expired Wi-Fi certificates as identities for SmartCard logins. Yet, when the certificates aren't expired, this issue doesn't manifest.

Recently, SmartCard login has been inadvertently activated on some user machines. As a result, these users cannot log out of Kerberos SmartCard. We found a temporary workaround: deleting the expired Wi-Fi certificate and rebooting allows Kerberos to permit the user to log out. Interestingly, in the absence of any expired certificates, the Kerberos SmartCard cannot recognize any identities, preventing it from being set up on a user's Mac.
I'm trying to create a policy script to delete any expired system keychain certificates, but I've hit some roadblocks. Would anyone have relevant scripts or recommendations I could leverage?
Thanks in advance.

0 Kudos
2 REPLIES 2

a_hebert
New Contributor III

‎09-06-2023 08:15 AM - edited ‎09-06-2023 08:21 AM

I use this to delete the wifi keychain in keychain access.  when you pull it up in keychain you will see Kind, Account, Where, and Modified.  You need to put the Where after the -s

 

/usr/bin/security delete-generic-password -s "Where"

Screenshot 2023-09-06 at 10.16.22.png

0 Kudos

kgam
Contributor

Posted on ‎09-08-2023 12:47 AM

If it's a shared certificate with the same SHA-256 value you can also use that to delete the certificate:

security delete-certificate -Z "3D77D4088F8ABF314624913DAA368BFFC58ADA43C3GD1Z7750D" $systemKeychain

0 Kudos