OS X supports two methods of certificate enrollment using a configuration profile: Simple certificate enrollment protocol (SCEP), and DCOM/RPC (ADCertificate). ADCertificate relies on a Microsoft Windows Server Certificate Authority (CA). SCEP often uses a Microsoft CA’s Network Device Enrollment Service (NDES).
In OS X, certificates acquired through a profile can be renewed using the same installed profile. When the certificate is fifteen days from its expiration date, the certificate profile in the Profiles pane of System Preferences displays an Update button:
Notification Center also displays a banner when it's time to renew (within 15 days of expiration).
This notification repeats once a day until the certificate expires or action is taken.
Click the Update button in the Profiles pane of System Preferences. A new private key is created and used to sign the certificate request that is sent to the Certificate Authority (CA). When the new certificate is obtained from the CA, it pairs with the new private key.
The original certificate and private key that were created when the profile was installed remain in the keychain.
Click the Update button in the Profiles pane of System Preferences. The existing private key is used to sign the certificate request that is sent to the Certificate Authority (CA). When the renewed certificate is obtained from the CA, it pairs with the original private key.
The original certificate created when the profile was installed remains in the keychain.
Configuring Renewal Notifications
By default, OS X Yosemite displays a daily notification when the acquired certificate is within 14 days of expiration. OS X Yosemite offers two configuration parameters that can modify this behavior CertificateRenewalTimeInterval and CertificateRenewalTimePercent. Here are some details about each:
|Parameter Name||Application Method||Allowed Values||Value Type|
|CertificateRenewalTimeInterval||Profile Manager configuration profile - ADCert or SCEP||Greater than 14 days
Less than the maximum lifetime of the certificate in days
|CertificateRenewalTimePercent||/usr/sbin/defaults||Between 1 and 50||Percentage (integer)|
CertificateRenewalTimePercent is applied with syntax like the following:
sudo defaults write /Library/Preferences/com.apple.mdmclient CertificateRenewalTimePercent -int 25
The two settings can be used cooperatively:
- If CertificateRenewalTimeInterval is defined in the profile, its value will be used.
- If CertificateRenewalTimeInterval is *not* defined in the profile but CertificateRenewalTimePercent is defined on the client, CertificateRenewalTimePercent’s value will be used.
- If neither is explicitly defined, a value of 14 days is assumed for CertificateRenewalTimeInterval.
If the profile that was used to obtain the ADCert or SCEP certificate is removed from Mavericks, the most recently-acquired certificate and the private key will be removed from the keychain in which they reside. The original certificate, now orphaned from its private key, will not be removed and can be manually deleted.
If the profile used to obtain the certificate also contains other payloads linked to the obtained certificate (Network: EAP-TLS, VPN: OnDemand certificate-based authentication, and so forth), when the certificate is renewed the dependent configurations will be updated for the new certificate.
After a certificate is renewed, the installed profile is associated with the new certificate. No additional profiles will be installed or created as a result of the certificate renewal.