Use Profile-based certificate renewal in macOS
macOS Catalina and earlier include support to renew certificates acquired from a configuration profile.
You can use macOS to renew your certificate enrollment with your configuration profile via two methods:
Simple certificate enrollment protocol (SCEP), which often uses a Microsoft certificate authority (CA) Network Device Enrollment Service (NDES).
DCOM/RPC (ADCertificate), which relies on a Microsoft Windows Server Certificate Authority (CA).
In macOS, you can get and renew your certificate with the same profile. macOS alerts you as a certificate nears its expiration date:
When a certificate is 15 days from its expiration date, you get a reminder.
When a certificate is less than 15 days from its expiration date, a banner appears in Notification Center. This notification repeats once a day until the certificate expires or you update or remove it.
To update a certificate, in the Profiles pane of System Preferences, click the certificate profile, then click Update.
Renew with ADCertificate
In the Profiles pane of System Preferences, click the Update button to create a new private key. The new private key is used to sign the certificate request that’s sent to the CA. The new certificate from the CA is paired with the new private key.
The original certificate and private key that were created when the profile was installed stay in the keychain.
Renew with SCEP
Click the Update button in the Profiles pane of System Preferences. The current private key is used to sign the certificate request that’s sent to the CA. When CA renews the certificate, it pairs it with the original private key.
The original certificate that was created when the profile was installed stays in the keychain.
Renew through the command line
In macOS 10.12 Sierra and later, you can renew the ADCertificate and SCEP profile-generated certificates with the
/usr/bin/profiles command. Use the following syntax in the command line:
profiles -W -p <profileIdentifier value>
You can find the "profileIdentifier" value by listing the installed profiles with the -L command argument.
Set up renewal notifications
Yosemite and later versions of macOS display a daily notification when the certificate has less than 14 days until it expires.
You can change the daily notification time with two configuration parameters called CertificateRenewalTimeInterval and CertificateRenewalTimePercent:
Profile Manager configuration profile: ADCert or SCEP
Greater than 14 days, or less than the maximum lifetime of the certificate in days
Between 1 and 50
You can apply the CertificateRenewalTimePercent with syntax like this:
sudo defaults write /Library/Preferences/com.apple.mdmclient CertificateRenewalTimePercent -int 25
You can use these two settings together:
If CertificateRenewalTimeInterval is defined in the profile, use that value.
If CertificateRenewalTimeInterval isn't defined in the profile, but is defined on the client, use the value of the CertificateRenewalTimePercent.
If neither value is defined, the time interval is set to 14 days.
The profile you used to create the ADCert or SCEP certificate might be removed. If you use Mavericks or a later version of macOS, the most recent certificate and private key are removed from the keychain, but the original certificate isn’t. You have to delete it.
The profile you used to get the certificate might have other payloads linked to the certificate. Examples of payloads include Network: EAP-TLS, VPN: OnDemand certificate-based authentication. When the certificate is renewed, the dependent configurations are updated for the new certificate.
After a certificate is renewed, the installed profile is associated with the new certificate. When a certificate is renewed, no additional profiles are installed or created.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.