Replacing SCEP Certificate

Question

Level 1

51 points

Replacing SCEP Certificate

Hello,

how can I replace the SCEP Certificate Identity which is used by default bye the profile service.

I am planning to use the MDM Profile service in our company environment. I see on the OS X Client/System Preferences/Profiles that the CA of the SCEP Part is a default one called "IntermediateCA_DOMAIN.NAME.COM_1".

At this time and configuratione the profile service works fine, but the certificate expires in one year, I just would like to know, how to replace the certificate at time when it is expired.

Before I dont know or understand this I dont like to enrolle the profile service in my enterprise environment.

Thanks for support and answer,

Patrick

Posted on Mar 26, 2013 8:49 AM

Reply

Answer 1

poolecl

Level 1

0 points

Sep 27, 2015 10:44 AM in response to Patrick Fist

Has anyone ever figured this out? I have found that my devices have all expired and am faced with wiping them all to get them managed again?!? Even if I do, I have found no apparent way to prevent the certificates from expiring again.

Reply

Answer 2

Sep 29, 2015 12:43 PM in response to Patrick Fist

Since at least Server 3.2.2 (probably earlier), Profile Manager will automatically re-enroll devices as their SCEP identities near expiration. (Where "near" is defined as < 6 months, to allow for devices being offline for a very long time.) This re-enrollment is explicitly to renew these SCEP identities because if they do expire the device will have to manually be re-enrolled.

The SCEP identities are signed by the OD Intermediate CA, and I don't think there is any way to change this. However, that OD identity should be valid for 5 years from when it was originally created and should be renewable within Server.app as it nears expiration.

In short, you shouldn't need to worry about this.

Reply