If you are using AD certificates inside a configuration profile, here is the easiest way to make it auto renewal:
sudo defaults write /Library/Preferences/com.apple.mdmclient AutoRenewCertificatesEnabled -bool YES
I have setup an extension attribute to check the Macs need this remediation:
#! /bin/bash
status=$(sudo defaults read /Library/Preferences/com.apple.mdmclient AutoRenewCertificatesEnabled)
echo “<result>$status</result>”
Any Macs without the result 1 will get remediated 🙂
Here is the link from Apple, it works for Sierra and up.
By default, the auto renewal time is 14 days before expiring.
Links to read:
https://support.apple.com/en-us/HT204836
https://support.apple.com/en-us/HT204446
To find expired certificates:
expired=$(security find-identity | grep EXPIRED | awk ‘{print $2}’)
To delete a certificate:
security find-certificate -c “certificatename” -a -Z | \
sudo awk ‘/SHA-1/{system(“security delete-certificate -Z “$NF)}’