Languages

OS X Mavericks: Profile-based certificate renewal

OS X Mavericks introduces support for renewal of certificates acquired via configuration profile.

OS X supports two methods of certificate enrollment via configuration profile: Simple certificate enrollment protocol (SCEP), and DCOM/RPC (ADCertificate). ADCertificate relies on a Microsoft Windows Server Certificate Authority (CA). SCEP often uses a Microsoft CA’s Network Device Enrollment Service (NDES). 

With OS X Mavericks, certificates acquired via a profile can be renewed via the same installed profile.  When the certificate is fifteen days from its expiration date, the certificate profile in the Profiles pane of System Preferences will display an Update button:

 

 
Notification Center in Mavericks will display a banner when it's time to renew (within 15 days of expiration).
 
This notification will repeat once a day until the certificate expires or action is taken.
 
ADCertificate RENEWAL
Click the Update button in the Profiles pane of System Preferences. A new private key will be created and used to sign the certificate request that is sent to the CA. When the new certificate is obtained from the CA, it pairs with the new private key.
 
The original certificate and private key, created when the profile was installed, remain in the keychain.
 
SCEP RENEWAL
Click the Update button in the Profiles pane of System Preferences. The existing private key will be used to sign the certificate request that is sent to the CA. When the renewed certificate is obtained from the CA, it pairs with the original private key.
 
The original certificate, created when the profile was installed, remains in the keychain.

Additional Information

If the profile that was used to obtain the ADCert or SCEP certificate is removed from Mavericks, the most recently-acquired certificate and the private key will be removed from the keychain in which they reside. The original certificate, now orphaned from its private key, will not be removed and can be manually deleted.

If the profile used to obtain the certificate also contains other payloads linked to the obtained certificate (Network: EAP-TLS, VPN: OnDemand certificate-based authentication, and so forth), when the certificate is renewed the dependent configurations will be updated for the new certificate.

After a certificate is renewed, the installed profile is associated with the new certificate.  No additional profiles will be installed or created as a result of the certificate renewal.

Last Modified: Nov 6, 2013
Helpful?
Yes
No
  • Last Modified: Nov 6, 2013
  • Article: HT5984
  • Views:

    4709
  • Rating:
    • 20.0

    (1 Responses)

Additional Product Support Information

Start a Discussion
in Apple Support Communities
See all questions on this article See all questions I have asked