Can I _automatically_ delete the old certificates on my Mac?

I have been using LE for about 9 months now, and I have the renewal process down pretty well. It’s fairly easy, but there’s one part that I cannot figure out how to automate:

Removing the old certificates from the “Keychain” on the Mac.

For example, I just renewed the certificate for https://time.luo.ma and some other similar sub-domains.

The old certificate was set to expire in a few days. The new one is good through October. I was able to go in and delete the old certificates from the “Keychain Access.app” on the Mac, but is there a way to automate that so that the new one is kept and the old one is deleted?

That’s pretty much the last step I need to make for this to be fully automated.

Any help would be appreciated.

(macOS 10.13 running Apache, if it makes any difference.)

So does Apache use the certificate and keypair from your keychain?

How are you getting the certificate into the keychain in the first place? Do you have a Certboot hook that uses security add-certificates or something like that?

If so, you could change your deploy hook to first do something like this before it adds the new certificate:

security delete-certificate -c time.luo.ma

You might find some other useful commands in:

man 1 security

For example, you could list all of your certificates for that name, check which one is the newest, and delete the rest of them by their SHA-1 hash.

1 Like