LogoLogo
LogoLogo
  • Welcome
  • Details
  • Configuration
    • Getting Started
      • Generic Guide
      • Scenario-based Guides
        • Microsoft Cloud PKI
        • SCEPman PKI
    • Access Point Setup
      • RadSec
        • Aruba
        • FortiNet
        • Juniper Mist
        • Meraki
        • MikroTik
        • Ruckus
        • UniFi
      • RADIUS
        • ExtremeCloud IQ CoPilot
        • Meraki
        • Sophos UTM
        • UniFi
    • Server Certificate Renewal
  • Admin Portal
    • Home
    • Insights
      • Rule Engine
      • Logs
    • Users
    • Settings
      • Server Settings
      • Trusted Certificates
      • Proxy Settings
      • Permissions
      • User Settings
      • Rules
        • General Structure
        • WiFi
        • LAN
        • VPN
      • Log Exporter
        • Teams
        • Log Analytics
        • Generic Webhook
        • Examples
    • My Invited Users
  • Profile Deployment
    • Microsoft Intune
      • Server Trust
      • WiFi Profile
        • Windows
        • iOS/iPadOS & macOS
        • Android
      • Wired Profile
        • Windows
        • macOS
    • Jamf Pro
      • Server Trust
      • WiFi Profile
      • Wired Profile
    • Google Workspace
      • Server Trust
      • WiFi Profile
  • Other
    • Troubleshooting
    • FAQs
      • General
      • Log & Common Errors
      • MAC Authentication
      • Blast-RADIUS Vulnerability
      • OCSP Soft-fail Consequences
      • Security & Privacy
    • REST API
      • External Monitoring
    • Changelog
  • Licensing
    • Azure Marketplace
  • Support & Service Level
  • RADIUSaaS Website
Powered by GitBook
On this page
  • Your server certificate can be one of the following two types:
  • Creating a new certificate
  • Built-in Customer-CA
  • BYO certificate
  • Deploying the new server certificate
  • WiFi & LAN infrastructure
  • Activating the new server certificate

Was this helpful?

  1. Configuration

Server Certificate Renewal

This page describes the renewal process of the RADIUSaaS server certificate.

Last updated 3 months ago

Was this helpful?

A server certificate is essential for securing both the EAP-TLS inner tunnel and the RadSec TLS outer tunnel on RADIUSaaS. To prevent authentication failures, ensure to renew your certificate before it expires.

Your server certificate can be one of the following two types:

  1. . This comes with your RADIUSaaS and offers long expiry of 20 years. Currently there is no way to create a new Customer-CA alongside the existing one. This means that the existing expiring Customer-CA will need to be deleted before a new one can be created. Creating a new Customer-CA will also generate a new root certificate that will need to be re-deployed to your clients. Please follow article to deploy your new Customer-CA and reference it via your MDM's WiFi policy.

  2. Bring Your Own (BYO) certificate using your own PKI, e.g. . SCEPman server certificates expire every two years, so be sure to set a reminder to prevent downtime. When using a BYO certificate, it's assumed that the CA's root certificate and the FQDN (Subject and SAN) will remain unchanged from the expiring certificate. Therefore, redeployment of the certificate is unnecessary.

Creating a new certificate

Built-in Customer-CA

This type of certificate is valid for 20 years and cannot be renewed before its expiry. It can, however, be deleted and a new one created by following guide.

BYO certificate

If you want to use your own certificate e.g.: a SCEPman-issued server certificate, then follow link to create a server certificate before the expiry in SCEPman or your preferred PKI.

Deploying the new server certificate

Intune profiles

If you are renewing the Customer-CA or a BYO CA with a different root and FQDN from the previous one then please follow the bellow steps to re-deploy this certificate to your clients, otherwise if you are using a BYO certificate with no change to the CA's root certificate and the FQDN (Subject and SAN), you can skip this step!

  1. Deploy the new server certificate/trusted root to your clients as described by creating a new profile.

  2. Update your existing WiFi or wired profile(s)

    • If you have used the Intune wizard for the creation of your network profiles, edit all relevant profiles by adding a second trusted server certificate. Do not forget to add a second server name under Certificate server names in case the new certificate has a different domain.

    • If you have used a custom profile for the creation of your network profiles, re-download the XML generated by RADIUSaaS from , and replace it in your existing profile. Both server certificate thumbprints are automatically included in the XML.

  3. Wait until all your clients have received the updated profile(s).

WiFi & LAN infrastructure

Activating the new server certificate

If you're using , upload the new server certificate to your access points or network switch device.

Finally, when you are ready to switch over to the new certificate, active it as described .

RadSec
Customer-CA
SCEPman-issued Server Certificate
this
this
here
here
this
here
Example: Updated Windows 10 WiFi profile with two trusted RADIUS server certificates and different domains.