Security

Reply
Occasional Contributor I
Posts: 7
Registered: ‎02-12-2016

SCEP certificate renewal via OSX

Running into an issue renewing certificates that were issued via SCEP/device profiles with Clearpass Onboard. As the certificates come up as due to expire, OSX dutifully pops up and offers to renew the certificate, however if you click on the "update" button it returns the following error:

 

"The server at http://clearpass/guest/mdps_scep.php/16 does not support certificate renewal"

 

Running tcpdump whilst this happens shows a request to the SCEP URL above with an argument of "operation=getCACaps&message=", and a response of the following:

 

POSTPKIOperation

SHA-1

DES3

 

Is there something I need to change within Onboard to add a capability for supporting SCEP renewal?

Moderator
Posts: 470
Registered: ‎11-09-2012

Re: SCEP certificate renewal via OSX

Simon,

 

We've had issues with the profile renewal on OS X - it likes to delete the old profile before installing the new one, which dumps the WiFi connection and breaks the whole process.

 

I spoke to  DEV and they said "wasn't aware that there's some way to just get it to do a SCEP request to renew the certificate rather than the whole profile. Maybe it was added in a newer release of OS X? What version are you attempting this on?"

 

Can you share the exact OS X Version please so we can take a look at this internally?

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor I
Posts: 7
Registered: ‎02-12-2016

Re: SCEP certificate renewal via OSX

[ Edited ]

Sure Thing - I'm running Yosemite (10.10.5) and we also have El Capitan machines that behave the same way.

 

The renewal is following this https://support.apple.com/en-us/HT204446 - using SCEP.

 

Looking at the RFC the server would need to return a capability of "Renewal" for this to happen - https://tools.ietf.org/html/draft-nourse-scep-23#appendix-C.2

 

As you say, attempting to replace the profile in one go to essentially replace vs renew the client cert tends to end up dropping the client off the network (I've tested this via Jamf), so I'm not sure what the recommended way to manage replacing expiring certs would be?

 

 

Moderator
Posts: 470
Registered: ‎11-09-2012

Re: SCEP certificate renewal via OSX

Simonh,

 

Sorry for my delay... I've had a of conversations with one of our DEV team..... and they have done some testing with the latest El Cap OSX with no major progress. They have asked....... 

 

the SCEP URL reported suggests they are using the Onboard SCEP server in stand alone mode (presumably creating the configuration profile via some other mechanism?)

 
Could you confirm exactly how they are using Onboard here, and if my suspicion that they are using it as just a SCEP server is correct, if they could send along a copy of the .mobileconfig file they’re using (or details how else they’re configuring the OS X client to do SCEP)?

Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor I
Posts: 7
Registered: ‎02-12-2016

Re: SCEP certificate renewal via OSX

Hi Danny

We are indeed doing this externally. We use Casper JAMF to push out a MDM profile to the device that contains the following:

Wireless network: XXXXXXX, use certificate YY

SCEP Enrollment: certificate YY obtained from SCEP URL http://clearpass/guest/mdps_scep.php/12

 

I'm not sure if I can get the mobileconfig file as it's all generated internally within JAMF, but that's the gist of it above. We ship CA certs via a separate profile.

Moderator
Posts: 470
Registered: ‎11-09-2012

Re: SCEP certificate renewal via OSX

Hi Simon,

 

Thanks for the below - a copy of mobileconfig would be very useful.


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Moderator
Posts: 470
Registered: ‎11-09-2012

Re: SCEP certificate renewal via OSX

Hi Simon,

 

Good news. I've managed to get this fixed. It has been checked into the 6.6 code which we plan on releasing late-March/early-April. This will provide a way for OS X to renew it's certificates in workflows where the .mobileconfig is coming from another source (unfortunately the workflow Onboard uses attempts to renew the entire .mobileconfig and hence does not apply). So please be aware of that.

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor I
Posts: 7
Registered: ‎02-12-2016

Re: SCEP certificate renewal via OSX

Thanks Danny - that's great news!

Let me know if there are any opportunities to beta test this at all, since it's a slightly pressing issue for us right now.

 

 

Contributor II
Posts: 63
Registered: ‎10-17-2011

Re: SCEP certificate renewal via OSX

Hi everyone,

 

I think I may be running into a similar issue.  Our school district has a few hundred Mac Minis and iMacs that are used by students.  They are on-boarded using ClearPass with a certificate.  Many of them were on-boarded a year ago, and their enrollment certificates are expiring.  I was under the impression that the enrollment certificate wouldn't affect the other certs (e.g. RADIUS certificate), but some have already expired, and I'm hearing from several sites that their wireless Macs are no longer connecting to the network.

 

Is there any way to specify a period longer than 1 year for validity of the enrollment certificate?  Like, say, forever?  Or maybe 10 or 20 years?  Our site techs have enough to do without having to go touch a hundred Macs and re-enroll them.... not to mention the fact that I'm leaving to go out of the country for a week tomorrow, and won't be able to help them while I'm gone...  Anything I can do for them before the certs all expire?

 

Thanks!

Guru Elite
Posts: 8,052
Registered: ‎09-08-2010

Re: SCEP certificate renewal via OSX

Certificate expiration is set at the CA level.

One quick question. Are you also supporting BYOD devices with username/password on the same SSID?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: