Server Certificate Renewal
This page describes the renewal process of the RADIUSaaS server certificate.
Last updated
Was this helpful?
This page describes the renewal process of the RADIUSaaS server certificate.
Last updated
Was this helpful?
A server certificate is essential for securing both the EAP-TLS inner tunnel and the RadSec TLS outer tunnel on RADIUSaaS. To prevent authentication failures, ensure to renew your certificate before it expires.
. This comes with your RADIUSaaS and offers long expiry of 20 years. Currently there is no way to create a new Customer-CA alongside the existing one. This means that the existing expiring Customer-CA will need to be deleted before a new one can be created. Creating a new Customer-CA will also generate a new root certificate that will need to be re-deployed to your clients. Please follow article to deploy your new Customer-CA and reference it via your MDM's WiFi policy.
Bring Your Own (BYO) certificate using your own PKI, e.g. . SCEPman server certificates expire every two years, so be sure to set a reminder to prevent downtime. When using a BYO certificate, it's assumed that the CA's root certificate and the FQDN (Subject and SAN) will remain unchanged from the expiring certificate. Therefore, redeployment of the certificate is unnecessary.
This type of certificate is valid for 20 years and cannot be renewed before its expiry. It can, however, be deleted and a new one created by following guide.
If you want to use your own certificate e.g.: a SCEPman-issued server certificate, then follow link to create a server certificate before the expiry in SCEPman or your preferred PKI.
If you are renewing the Customer-CA or a BYO CA with a different root and FQDN from the previous one then please follow the bellow steps to re-deploy this certificate to your clients, otherwise if you are using a BYO certificate with no change to the CA's root certificate and the FQDN (Subject and SAN), you can skip this step!
Deploy the new server certificate/trusted root to your clients as described by creating a new profile.
Update your existing WiFi or wired profile(s)
If you have used the Intune wizard for the creation of your network profiles, edit all relevant profiles by adding a second trusted server certificate. Do not forget to add a second server name under Certificate server names in case the new certificate has a different domain.
If you have used a custom profile for the creation of your network profiles, re-download the XML generated by RADIUSaaS from , and replace it in your existing profile. Both server certificate thumbprints are automatically included in the XML.
Wait until all your clients have received the updated profile(s).
If you're using , upload the new server certificate to your access points or network switch device.
Finally, when you are ready to switch over to the new certificate, active it as described .