Skip to end of metadata
Go to start of metadata

In some situations, you may want to explicitly clear and revoke a client certificate without deleting the client from FileWave, for instance if you are wiping a macOS client or reinstalling an IVS client.

The following command, run from the client itself, will make the server revoke the client certificate (replace <fwserver_address> with the address of your FileWave server):

sudo curl --key /private/var/FileWave/client.key --cert /private/var/FileWave/client.crt -X POST https://<fwserver_adress>:20443/auth/client/clear_certificate

The client will then be unable to communicate with the server (until a new CSR is created). This command can be used in the activation script of a macOS reinstall fileset to make the server properly clear the old client certificate.

Note that the command above uses the client certificate itself to identify the client.  Alternatively, you can also clear certificates en masse using the inventory superadmin token. In this case, you are allowed to clear the certificate of any client (obviously use with caution):

curl -X POST https://<fwserver_address>:20443/auth/client/clear_certificates -H 'Authorization: <application_token>' -H 'Content-Type: application/json' -d '["<serial_1>", "<serial_2>", ...]'


  • <fwserver_address>: The FileWave server address
  • <serial_1>, ... : serial numbers or mac addresses of the clients to revoke (should match the serial or mac from inventory)
  • <application_token>: base64-encoded value of the superadmin application token (can be found in the Application Tokens tab of the Manage Administrators dialog)

A Dict of list of serials for: SUCCESS, NOT_FOUND and ERROR is returned.

Potential log entries

2019-06-12 11:17:26.750|main|FATAL|CLIENT|Failed to send enrollment request (and CSR): error 500 
2019-06-12 11:17:26.750|main|INFO|CLIENT|Falling back to no certificate.
2019-06-12 7:12:02.481|main|FATAL|CLIENT|Unable to retrieve the contents of the cached custom field values: Error decrypting data
2019-06-12 7:12:02.833|main|INFO|CLIENT|CRL updated
2019-06-12 7:12:02.834|main|INFO|CLIENT|No certificate private key yet. Sending a certificate signing request to server my.FQDN.com.
2019-06-12 7:12:03.235|main|FATAL|CLIENT|Failed to send enrollment request (and CSR): error 400 a CSR for this client was already sent.
2019-06-12 7:12:03.235|main|INFO|CLIENT|Falling back to no certificate.
  • No labels