Handling expired client certificates found in the keychain
8 views
Skip to first unread message
Søren Grønning
Mar 7, 2026, 8:14:20 AM (5 days ago) Mar 7
to munki-dev
Hi all,
At work, we use client certificates with Munki (currently version 6.x, moving to 7.x as we get our Pyhton act together 😅) and have done so for years. We have ~1800 Macs enrolled with Jamf Pro and all have some sort of an ADCS issued client certificate (be that user or host certificates) which we use for such purposes as network authentication and access to our Munki repo.
We're using Jamf Pro and Jamfs ADCS Connector to tie the two together and it works well. However, there are circumstances causing a client certificate to be renewed in time, but not removed from the keychain. This is no problem with 802.1x authentication, due to the way it references the certificate within the .mobileconfig.
But, with Munki this causes issues, due to the fact that Munki currently searches only for the first certificate to match the server's sent criteria for a match (e.g. a specific issuer) and Munki is then unaware of the expiration date of a matched certificate, which in our case causes Munki to stall at the oldest [expired] certificate without trying to work out if there's in fact a newer valid certificate to hand over to the HTTPS server at the other end instead. This of course is an issue concerning access to the Munki repo.
I've taken some time to look at the Swift code for the current 7.x branch and put together a small fix for this issue. It comes in form of a function used to check certificate expiry and a call to this function within the for identityRef in identityRefs as! [SecIdentity] loop of the clientcerts.swift file.
In my tests, it does everything as intended and there have been no signs of regression as a result of introducing the code.
Attached is my clientcerts.swift file with all additions and I hope that someone on the Munki Dev list would be able to test it in their own environment and confirm that it is both working and causes no regression.
Best regards,
Søren Grønning
At work, we use client certificates with Munki (currently version 6.x, moving to 7.x as we get our Pyhton act together 😅) and have done so for years. We have ~1800 Macs enrolled with Jamf Pro and all have some sort of an ADCS issued client certificate (be that user or host certificates) which we use for such purposes as network authentication and access to our Munki repo.
We're using Jamf Pro and Jamfs ADCS Connector to tie the two together and it works well. However, there are circumstances causing a client certificate to be renewed in time, but not removed from the keychain. This is no problem with 802.1x authentication, due to the way it references the certificate within the .mobileconfig.
But, with Munki this causes issues, due to the fact that Munki currently searches only for the first certificate to match the server's sent criteria for a match (e.g. a specific issuer) and Munki is then unaware of the expiration date of a matched certificate, which in our case causes Munki to stall at the oldest [expired] certificate without trying to work out if there's in fact a newer valid certificate to hand over to the HTTPS server at the other end instead. This of course is an issue concerning access to the Munki repo.
I've taken some time to look at the Swift code for the current 7.x branch and put together a small fix for this issue. It comes in form of a function used to check certificate expiry and a call to this function within the for identityRef in identityRefs as! [SecIdentity] loop of the clientcerts.swift file.
In my tests, it does everything as intended and there have been no signs of regression as a result of introducing the code.
Attached is my clientcerts.swift file with all additions and I hope that someone on the Munki Dev list would be able to test it in their own environment and confirm that it is both working and causes no regression.
Best regards,
Søren Grønning
Gregory Neagle
Mar 7, 2026, 10:28:03 AM (5 days ago) Mar 7
to munki-dev
Hello Søren!
What you are attempting to solve here seems very similar to this abandoned Pull Request: https://github.com/munki/munki/pull/1239
I suggest you read through the discussion to understand some of the issues that may also apply to your proposed changes. (I’d specifically pay attention to the need to sometimes use expired certs)
It would be better if you were to create a Pull Request with your proposed changes so that it’s easier to discuss the actual code.
Note: I don’t use client certs myself, so actual testing must be done by others.
-Greg
--
Find related discussion groups here:
https://github.com/munki/munki/wiki/Discussion-Group
---
You received this message because you are subscribed to the Google Groups "munki-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/munki-dev/0450a661-22b8-4b95-bc57-adc4dae6ca21n%40googlegroups.com.
<clientcerts.swift>
Reply all
Reply to author
Forward
0 new messages