Patrick Fist
Level 1 (50 points)

Q: Replacing SCEP Certificate

Hello,

 

how can I replace the SCEP Certificate Identity which is used by default bye the profile service.

 

I am planning to use the MDM Profile service in our company environment. I see on the OS X Client/System Preferences/Profiles that the CA of the SCEP Part is a default one called "IntermediateCA_DOMAIN.NAME.COM_1".

 

At this time and configuratione the profile service works fine, but the certificate expires in one year, I just would like to know, how to replace the certificate at time when it is expired.

Before I dont know or understand this I dont like to enrolle the profile service in my enterprise environment.

 

 

Thanks for support and answer,

 

 

Patrick

Posted on Mar 26, 2013 8:49 AM

Close
Patrick Fist

Q: Replacing SCEP Certificate

  • All replies
  • Helpful answers

  • by poolecl,

    poolecl poolecl Sep 27, 2015 10:44 AM in response to Patrick Fist
    Level 1 (0 points)
    Sep 27, 2015 10:44 AM in response to Patrick Fist

    Has anyone ever figured this out?  I have found that my devices have all expired and am faced with wiping them all to get them managed again?!? Even if I do, I have found no apparent way to prevent the certificates from expiring again.

  • by mscott_mdm,

    mscott_mdm mscott_mdm Sep 29, 2015 12:43 PM in response to Patrick Fist
    Level 2 (225 points)
    Sep 29, 2015 12:43 PM in response to Patrick Fist

    Since at least Server 3.2.2 (probably earlier), Profile Manager will automatically re-enroll devices as their SCEP identities near expiration. (Where "near" is defined as < 6 months, to allow for devices being offline for a very long time.) This re-enrollment is explicitly to renew these SCEP identities because if they do expire the device will have to manually be re-enrolled.

     

    The SCEP identities are signed by the OD Intermediate CA, and I don't think there is any way to change this. However, that OD identity should be valid for 5 years from when it was originally created and should be renewable within Server.app as it nears expiration.

     

    In short, you shouldn't need to worry about this.