The required options for certupdate seem to have changed in macOS Sierra Server or before, and the manpages have not caught up yet.
When trying:
certupdate remove -c /etc/certificates/secure.domain.com.1234567890123456789012345678901234567890.cert.pem
certupdate throws this error:
certupdate[92173:961471] Unable to recreate the missing certificate ID for /etc/certificates/secure.domain.com.1234567890123456789012345678901234567890.cert.pem error = 2
If you just use certupdate by itself you get:
certupdate remove [-c cert_path] [-p cert_persistent_ref_base64] -i cert_identifier
certupdate replace -c old_cert_path [-p old_cert_persistent_ref_base64] -C new_cert_path [-P new_cert_persistent_ref_base64] -i old_cert_identifier -I new_cert_identifier
which says that now -i and -I are required, though not mentioned in the manpages or anywhere online that I can find.
Unfortunately, I've been unable to construct a proper cert_identifier for use with either version of certupdate and have tried to use secure.domain.com.[SHA-1] with and without various extensions, various paths including /etc/certificates, but to no avail. I also asked security to find the certificate, hoping it would show some kind of clue, but it did not.
The only thing I've found is that asking serveradmin about websites reveals a key called web:defaultSecureSite:mstCertificateIdentifier which contains a SHA-256 hash and the domain, but no combination I made of that works, either.
Does anybody have any idea how to use certupdate now that these options are required?
