This script is designed to remove expired computer and user certificates from the device. When a SCEP (Simple Certificate Enrollment Protocol) certificate is issued, any previously issued certificates are not automatically removed. As a result, expired certificates can accumulate on the machine, causing users to be presented with these expired certificates, for example, when connecting to a wireless network. This script addresses this issue by cleaning up expired certificates.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | #!/bin/bash# VariablesSYSTEM_KEYCHAIN="/Library/Keychains/System.keychain"function MAIN() { CERT_LIST=$(security find-certificate -p -a) CERT_LIST=$(echo "$CERT_LIST" | sed 's/ //g' | sed 's/-----ENDCERTIFICATE-----/-----ENDCERTIFICATE----- /g') OIFS="$IFS" IFS=' ' declare -a CERT_ARRAY=($CERT_LIST) IFS="$OIFS" i=-1 for CERT_ELEMENT in "${CERT_ARRAY[@]}"; do let "i++" # Parse certificates CERT_ELEMENT=$(echo "$CERT_ELEMENT" | sed 's/-----BEGINCERTIFICATE-----/-----BEGIN CERTIFICATE-----/g' | sed 's/-----ENDCERTIFICATE-----/-----END CERTIFICATE-----/g') CERT_MD5=$(echo "$CERT_ELEMENT" | openssl x509 -noout -fingerprint -sha1 -inform pem | cut -d "=" -f 2 | sed 's/://g') CERT_EXPIRATION_DATE_FULL=$(echo "$CERT_ELEMENT" | openssl x509 -text | grep 'Not After' | sed -E 's|.*Not After : ||') CERT_ISSUED_BY=$(echo "$CERT_ELEMENT" | openssl x509 -text | grep 'Issuer:' | sed -E 's|.*Issuer: ||') # Evaluate certificates issued by the Company CA. if [[ $CERT_ISSUED_BY = "DC=nl, DC=company, CN=Company Issuing Certificate Authority" ]] then CERT_EXPIRATION_DATE_FORMATTED=$(date -jf "%b %d %T %Y %Z" "${CERT_EXPIRATION_DATE_FULL}" +%Y%m%d) NOW=$(date +'%Y%m%d') if [[ $NOW -gt "$CERT_EXPIRATION_DATE_FORMATTED" ]] then echo "certificate is expired, deleting..." /usr/bin/security delete-certificate -Z "${CERT_MD5}" "${SYSTEM_KEYCHAIN}" else echo "certificate is valid" fi fi done}MAIN |