Server Certificate Renewal
This page describes the renewal process of the RADIUSaaS server certificate without interrupting the connection to the clients.
Before continuing, you need to answer the following questions:
Do you want to bring your own certificate (e.g. from SCEPman) or use a certificate created by your RADIUSaaS instance?
Are you deploying user or device client authentication certificates?
We recommend starting the renewal process of the RADIUS server certificate 8 - 10 weeks before it expires for the following reason.
If you are using the legacy self-signed server certificate we used to provide, RADIUSaaS will auto-renew the server certificate 30 days prior to its expiry (Valid until date). If you miss this deadline, you can no longer control the activation of a new RADIUS server certificate.
Part 1
Certificate Creation
The below screenshot demonstrates the two options for creating / uploading a new server certificate.
If you would like to use the free certificates that can be created from the RADIUSaaS Admin Portal, please create your own CA as described here.
If you would like to use your own certificate instead, select PEM or PKCS#12 encoded Certificate in the Add certificate dialog, select the certificate name and upload the public and private key. If you selected PKCS#12, this contains both public and private key.
Download the certificate after creating it as you will need it for the Intune profiles later on.
Intune Profiles
Deploy the new server certificate/trusted root to your clients as described here by creating a new profile.
Update your existing WiFi or wired profile(s)
If you have used the Intune Wizard for the creation of your network profile(s), edit all relevant profiles by adding a second trusted server certificate. Do not forget to add a second server name under Certificate server names in case the new certificate has a different domain.
If you have used a custom profile for the creation of your network profile(s), re-download the XML generated by RADIUSaaS from here, and replace it in your existing profile. Both server certificate thumbprints are automatically included in the XML.
Wait until all your clients have received the updated profile(s).
Jamf Profiles
Deploy the new server certificate/trusted root to your clients as described here by creating a new profile.
Update your existing WiFi or wired profile(s) by adding a second common name under Trusted Server Certificate Names
Wait until all your clients have received the updated profile(s).
WiFi & LAN infrastructure
This step is only necessary if you're using RadSec.
Upload the new Server certificate to your Access Points or network switch device.
Part 2
We recommend a minimum waiting period of 4 weeks between completing Part 1 and starting with Part 2.
After the updated profiles have successfully been deployed to all your clients (depending on the size of the deployment this may take weeks since some employees might be on holidays), you can take the last step and perform the certificate switch-over in your RADIUSaaS Admin Portal.
Only proceed with the next step if you are certain that all your clients received the new/updated profiles. Otherwise, they will not be able to connect to your network afterwards.
Activate the new server certificate as described here.
Last updated