Summary
This is to showcase a possible use case of deleting old/expired RADIUS certificates from user’s keychains and allow for the new RADIUS certificates to take their place.
Basic Usage
- You will need to know the old certificate’s HASH value or name
- Create a command similar to the setup shown here
- The script will use the last logged in user, ensure that the user in question is the correct user
Additional Information
If the certificate’s HASH value is unknown, the delete-certificate command accepts other parameters:
Usage: delete-certificate [-c name] [-Z hash] [-t] [keychain...]
-c Specify certificate to delete by its common name
-Z Specify certificate to delete by its SHA-1 hash value
-t Also delete user trust settings for this certificate The certificate to be deleted
must be uniquely specified either by a string found in its common name, or by its SHA-1 hash. If no keychains are specified to search, the default search list is used.
Script
# Get last user logged into console and put into variable "lastUser"
lastUser=`stat -f %Su /dev/console`
## Delete SHA-1 for radius.jumpcloud.com certificate which expired
security delete-certificate -Z <SHA-1 HASH> /Users/$lastUser/Library/Keychains/login.keychain-db
Command Setup
Tags:
[commands
bash
mac
RADIUS
]