Server Certificate Renewal

This page describes the renewal process of the RADIUSaaS server certificate.

A server certificate is essential for securing both the EAP-TLS inner tunnel and the RadSec TLS outer tunnel on RADIUSaaS. To prevent authentication failures, ensure to renew your certificate before it expires.

Your server certificate can be one of the following two types:

  1. Customer-CA. This comes with your RADIUSaaS and offers long expiry of 20 years. Currently there is no way to create a new Customer-CA alongside the existing one. This means that the existing expiring Customer-CA will need to be deleted before a new one can be created. Creating a new Customer-CA will also generate a new root certificate that will need to be re-deployed to your clients. Please follow this article to deploy your new Customer-CA and reference it via your MDM's WiFi policy.

  2. Bring Your Own (BYO) certificate using your own PKI, e.g. SCEPman-issued Server Certificate. SCEPman server certificates expire every two years, so be sure to set a reminder to prevent downtime. When using a BYO certificate, it's assumed that the CA's root certificate and the FQDN (Subject and SAN) will remain unchanged from the expiring certificate. Therefore, redeployment of the certificate is unnecessary.

Creating a new certificate

Built-in Customer-CA

This type of certificate is valid for 20 years and cannot be renewed before its expiry. It can, however, be deleted and a new one created by following this guide.

BYO certificate

If you want to use your own certificate e.g.: a SCEPman-issued server certificate, then follow this link to create a server certificate before the expiry in SCEPman or your preferred PKI.

Deploying the new server certificate

Intune profiles

If you are renewing the Customer-CA or a BYO CA with a different root and FQDN from the previous one then please follow the bellow steps to re-deploy this certificate to your clients, otherwise if you are using a BYO certificate with no change to the CA's root certificate and the FQDN (Subject and SAN), you can skip this step!

  1. Deploy the new server certificate/trusted root to your clients as described here by creating a new profile.

  2. Update your existing WiFi or wired profile(s)

    • If you have used the Intune wizard for the creation of your network profiles, edit all relevant profiles by adding a second trusted server certificate. Do not forget to add a second server name under Certificate server names in case the new certificate has a different domain.

    • If you have used a custom profile for the creation of your network profiles, re-download the XML generated by RADIUSaaS from here, and replace it in your existing profile. Both server certificate thumbprints are automatically included in the XML.

  3. Wait until all your clients have received the updated profile(s).

WiFi & LAN infrastructure

If you're using RadSec, upload the new server certificate to your access points or network switch device.

Activating the new server certificate

Finally, when you are ready to switch over to the new certificate, active it as described here.

Last updated

Was this helpful?