Use Profile-based certificate renewal in macOS

Current versions of macOS include support to renew certificates acquired from a configuration profile.

You can use macOS to renew your certificate enrollment with your configuration profile via two methods:

  • Simple certificate enrollment protocol (SCEP), which often uses a Microsoft certificate authority (CA) Network Device Enrollment Service (NDES).
  • DCOM/RPC (ADCertificate), which relies on a Microsoft Windows Server Certificate Authority (CA). 

About certificates

In macOS, you can get and renew your certificate with the same profile. When the certificate is 15 days from its expiration date, you get a reminder. In the certificate profile in the Profiles pane of System Preferences, click Update. When you have less than 15 days before your certificate expires, you see a banner in the Notification Center. This notification repeats once a day until the certificate expires or you take action

Renew with ADCertificate

In the Profiles pane of System Preferences, click the Update button to create a new private key. The new private key is used to sign the certificate request that’s sent to the CA. The new certificate from the CA is paired with the new private key.

The original certificate and private key that were created when the profile was installed stay in the keychain.

Renew with SCEP

Click the Update button in the Profiles pane of System Preferences. The current private key is used to sign the certificate request that’s sent to the CA. When CA renews the certificate, it pairs it with the original private key.

The original certificate that was created when the profile was installed stays in the keychain.

Renew through the command line

In macOS 10.12 Sierra, you can renew the ADCertificate and SCEP profile-generated certificates with the /usr/bin/profiles command. Use the following syntax in the command line:

profiles -W -p <profileIdentifier value>

You can find the "profileIdentifier" value by listing the installed profiles with the -L command argument.

Set up renewal notifications

Yosemite and later versions of macOS displays a daily notification when the certificate has less than 14 days until it expires.

You can change the daily notification time with two configuration parameters called CertificateRenewalTimeInterval and CertificateRenewalTimePercent:

Parameter  Application Method Allowed Values Value Type
CertificateRenewalTimeInterval Profile Manager configuration profile: ADCert or SCEP Greater than 14 days, or less than the maximum lifetime of the certificate in days Days (integer)
CertificateRenewalTimePercent /usr/sbin/defaults Between 1 and 50 Percentage (integer)

You can apply the CertificateRenewalTimePercent with syntax like this:

sudo defaults write /Library/Preferences/com.apple.mdmclient CertificateRenewalTimePercent -int 25

You can use these two settings together:

  • If CertificateRenewalTimeInterval is defined in the profile, use that value.
  • If CertificateRenewalTimeInterval isn't defined in the profile, but is defined on the client, use the value of the CertificateRenewalTimePercent.

If neither value is defined, the time interval is set to 14 days.

Learn More

The profile you used to create the ADCert or SCEP certificate might be removed. If you use Mavericks or a later version of macOS, the most recent certificate and private key are removed from the keychain, but the original certificate isn’t. You have to delete it.

The profile you used to get the certificate might have other payloads linked to the certificate. Examples of payloads include Network: EAP-TLS, VPN: OnDemand certificate-based authentication. When the certificate is renewed, the dependent configurations are updated for the new certificate.

After a certificate is renewed, the installed profile is associated with the new certificate. When a certificate is renewed, no additional profiles are installed or created.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Published Date: