Use Profile-based certificate renewal in macOS

macOS Catalina and earlier include support to renew certificates that were acquired from a configuration profile.

You can use macOS to renew your certificate enrolment with your configuration profile in two ways:

• Simple certificate enrolment protocol (SCEP), which often uses a Microsoft certificate authority (CA) Network Device Enrolment Service (NDES).

• DCOM/RPC (ADCertificate), which relies on a Microsoft Windows Server Certificate Authority (CA).

About certificates

In macOS, you can get and renew your certificate using the same profile. macOS will alert you when a certificate is nearing its expiry date:

• When a certificate is 15 days away from its expiry date, you'll receive a reminder.

• When a certificate is less than 15 days away from its expiry date, a banner will appear in Notification Centre. This notification will be repeated once a day until the certificate has expired or it's been updated or removed.

To update a certificate, in the Profiles pane of System Preferences, click the certificate profile, then click Update.

Renew with ADCertificate

In the Profiles pane of System Preferences, click the Update button to create a new private key. The new private key will be used to sign the certificate request that's been sent to the CA. The new certificate from the CA will be paired with the new private key.

The original certificate and private key that were created when the profile was installed will remain in the keychain.

Find out how to automatically renew certificates that were delivered via a configuration profile.

Renew with SCEP

Click the Update button in the Profiles pane of System Preferences. The current private key will be used to sign the certificate request that's been sent to the CA. After the CA has renewed the certificate, it will pair it with the original private key.

The original certificate that was created when the profile was installed will remain in the keychain.

Renew through the command line

In macOS 10.12 Sierra and later, you can renew the ADCertificate and SCEP profile-generated certificates with the /usr/bin/profiles command. Use the following syntax in the command line:

profiles -W -p

You can find the "profileIdentifier" value by listing the installed profiles with the -L command argument.

Set up renewal notifications

Yosemite and later versions of macOS will display a daily notification when the certificate has less than 14 days left until it will expire.

You can change the daily notification time using two configuration parameters called CertificateRenewalTimeInterval and CertificateRenewalTimePercent:

You can apply the CertificateRenewalTimePercent with syntax like this:

sudo defaults write /Library/Preferences/com.apple.mdmclient CertificateRenewalTimePercent -int 25

You can use these two settings together:

• If CertificateRenewalTimeInterval is defined in the profile, use that value.

• If CertificateRenewalTimeInterval isn't defined in the profile but is defined on the client, use the value of the CertificateRenewalTimePercent.

If neither value has been defined, the time interval will be set to 14 days.

Learn more

The profile you've used to create the ADCert or SCEP certificate may have been removed. If you use Mavericks or a later version of macOS, the most recent certificate and private key will be removed from the keychain, but the original certificate won't be. You'll have to delete it.

The profile you've used to get the certificate may have other payloads linked to the certificate. Examples of payloads include Network: EAP-TLS, VPN: OnDemand certificate-based authentication. After the certificate has been renewed, the dependent configurations will be updated for the new certificate.

After a certificate has been renewed, the installed profile will be associated with the new certificate. After a certificate has been renewed, no additional profiles will be installed or created.