This script is designed to remove expired computer and user certificates from the device. When a SCEP (Simple Certificate Enrollment Protocol) certificate is issued, any previously issued certificates are not automatically removed. As a result, expired certificates can accumulate on the machine, causing users to be presented with these expired certificates, for example, when connecting to a wireless network. This script addresses this issue by cleaning up expired certificates.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | #!/bin/bash # Variables SYSTEM_KEYCHAIN= "/Library/Keychains/System.keychain" function MAIN() { CERT_LIST=$(security find -certificate -p -a) CERT_LIST=$( echo "$CERT_LIST" | sed 's/ //g' | sed 's/-----ENDCERTIFICATE-----/-----ENDCERTIFICATE----- /g' ) OIFS= "$IFS" IFS= ' ' declare -a CERT_ARRAY=($CERT_LIST) IFS= "$OIFS" i=-1 for CERT_ELEMENT in "${CERT_ARRAY[@]}" ; do let "i++" # Parse certificates CERT_ELEMENT=$( echo "$CERT_ELEMENT" | sed 's/-----BEGINCERTIFICATE-----/-----BEGIN CERTIFICATE-----/g' | sed 's/-----ENDCERTIFICATE-----/-----END CERTIFICATE-----/g' ) CERT_MD5=$( echo "$CERT_ELEMENT" | openssl x509 -noout -fingerprint -sha1 -inform pem | cut -d "=" -f 2 | sed 's/://g' ) CERT_EXPIRATION_DATE_FULL=$( echo "$CERT_ELEMENT" | openssl x509 -text | grep 'Not After' | sed -E 's|.*Not After : ||' ) CERT_ISSUED_BY=$( echo "$CERT_ELEMENT" | openssl x509 -text | grep 'Issuer:' | sed -E 's|.*Issuer: ||' ) # Evaluate certificates issued by the Company CA. if [[ $CERT_ISSUED_BY = "DC=nl, DC=company, CN=Company Issuing Certificate Authority" ]] then CERT_EXPIRATION_DATE_FORMATTED=$( date -jf "%b %d %T %Y %Z" "${CERT_EXPIRATION_DATE_FULL}" +%Y%m%d) NOW=$( date + '%Y%m%d' ) if [[ $NOW -gt "$CERT_EXPIRATION_DATE_FORMATTED" ]] then echo "certificate is expired, deleting..." /usr/bin/security delete-certificate -Z "${CERT_MD5}" "${SYSTEM_KEYCHAIN}" else echo "certificate is valid" fi fi done } MAIN |