Using Profile-based certificate renewal in OS X

Current versions of OS X include support for renewal of certificates acquired from a configuration profile.

OS X supports two methods of certificate enrollment using a configuration profile: Simple certificate enrollment protocol (SCEP), and DCOM/RPC (ADCertificate). ADCertificate relies on a Microsoft Windows Server Certificate Authority (CA). SCEP often uses a Microsoft CA’s Network Device Enrollment Service (NDES). 

About certificates

In OS X, certificates acquired through a profile can be renewed using the same installed profile. When the certificate is fifteen days from its expiration date, the certificate profile in the Profiles pane of System Preferences displays an Update button:

 

Notification Center also displays a banner when it's time to renew (within 15 days of expiration).

This notification repeats once a day until the certificate expires or action is taken.

ADCertificate renewal

Click the Update button in the Profiles pane of System Preferences. A new private key is created and used to sign the certificate request that is sent to the Certificate Authority (CA). When the new certificate is obtained from the CA, it pairs with the new private key.

The original certificate and private key that were created when the profile was installed remain in the keychain.

SCEP renewal

Click the Update button in the Profiles pane of System Preferences. The existing private key is used to sign the certificate request that is sent to the Certificate Authority (CA). When the renewed certificate is obtained from the CA, it pairs with the original private key.

The original certificate created when the profile was installed remains in the keychain.

Configuring Renewal Notifications

By default, OS X Yosemite displays a daily notification when the acquired certificate is within 14 days of expiration. OS X Yosemite offers two configuration parameters that can modify this behavior CertificateRenewalTimeInterval and CertificateRenewalTimePercent. Here are some details about each:

CertificateRenewalTimeInterval Profile Manager configuration profile - ADCert or SCEP Greater than 14 days
Less than the maximum lifetime of the certificate in days
Days (integer)
CertificateRenewalTimePercent /usr/sbin/defaults Between 1 and 50 Percentage (integer)

CertificateRenewalTimePercent is applied with syntax like the following:

sudo defaults write /Library/Preferences/com.apple.mdmclient CertificateRenewalTimePercent -int 25

The two settings can be used cooperatively:

  1. If CertificateRenewalTimeInterval is defined in the profile, its value will be used.
  2. If CertificateRenewalTimeInterval is *not* defined in the profile but CertificateRenewalTimePercent is defined on the client, CertificateRenewalTimePercent’s value will be used.
  3. If neither is explicitly defined, a value of 14 days is assumed for CertificateRenewalTimeInterval.

Learn More

If the profile that was used to obtain the ADCert or SCEP certificate is removed from Mavericks, the most recently-acquired certificate and the private key will be removed from the keychain in which they reside. The original certificate, now orphaned from its private key, will not be removed and can be manually deleted.

If the profile used to obtain the certificate also contains other payloads linked to the obtained certificate (Network: EAP-TLS, VPN: OnDemand certificate-based authentication, and so forth), when the certificate is renewed the dependent configurations will be updated for the new certificate.

After a certificate is renewed, the installed profile is associated with the new certificate.  No additional profiles will be installed or created as a result of the certificate renewal.

Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.
Last Modified:
Helpful?

Additional Product Support Information

Start a Discussion

in Apple Support Communities
See all questions on this article See all questions I have asked
United States (English)