OS X Mavericks: Profile-based certificate renewal
OS X Mavericks introduces support for renewal of certificates acquired via configuration profile.
OS X supports two methods of certificate enrollment via configuration profile: Simple certificate enrollment protocol (SCEP), and DCOM/RPC (ADCertificate). ADCertificate relies on a Microsoft Windows Server Certificate Authority (CA). SCEP often uses a Microsoft CA’s Network Device Enrollment Service (NDES).
With OS X Mavericks, certificates acquired via a profile can be renewed via the same installed profile. When the certificate is fifteen days from its expiration date, the certificate profile in the Profiles pane of System Preferences will display an Update button:
If the profile that was used to obtain the ADCert or SCEP certificate is removed from Mavericks, the most recently-acquired certificate and the private key will be removed from the keychain in which they reside. The original certificate, now orphaned from its private key, will not be removed and can be manually deleted.
If the profile used to obtain the certificate also contains other payloads linked to the obtained certificate (Network: EAP-TLS, VPN: OnDemand certificate-based authentication, and so forth), when the certificate is renewed the dependent configurations will be updated for the new certificate.
After a certificate is renewed, the installed profile is associated with the new certificate. No additional profiles will be installed or created as a result of the certificate renewal.