# Server Certificate Renewal

A server certificate is essential for securing both the EAP-TLS inner tunnel and the RadSec TLS outer tunnel on RADIUSaaS. To prevent authentication failures, ensure to renew your certificate before it expires.

### **Your server certificate can be one of the following two types:**

1. [Customer-CA](https://docs.radiusaas.com/admin-portal/settings/settings-server#customer-ca). This comes with your RADIUSaaS and offers long expiry of 20 years. Currently there is no way to create a new Customer-CA alongside the existing one. This means that the existing expiring Customer-CA will need to be deleted before a new one can be created. Creating a new Customer-CA will also generate a new root certificate that will need to be re-deployed to your clients. Please follow [this ](#deploying-the-new-server-certificate)article to deploy your new Customer-CA and reference it via your MDM's WiFi policy.&#x20;
2. Bring Your Own (BYO) certificate using your own PKI, e.g. [SCEPman-issued Server Certificate](https://docs.radiusaas.com/admin-portal/settings/settings-server#scepman-issued-server-certificate). SCEPman server certificates expire every two years, so be sure to set a reminder to prevent downtime. When using a BYO certificate, it's assumed that the **CA's root certificate** and the **FQDN (Subject and SAN)** will remain unchanged from the expiring certificate. Therefore, redeployment of the certificate is unnecessary.

## Creating a new certificate

### Built-in Customer-CA

This type of certificate is valid for 20 years and cannot be renewed before its expiry. It can, however, be deleted and a new one created by following [this ](https://docs.radiusaas.com/admin-portal/settings/settings-server#customer-ca)guide.

### BYO certificate

If you want to use your own certificate e.g.: a SCEPman-issued server certificate, then follow [this ](https://docs.radiusaas.com/admin-portal/settings/settings-server#bring-your-own-certificate)link to create a server certificate before the expiry in SCEPman or your preferred PKI. &#x20;

## Deploying the new server certificate

#### Intune profiles <a href="#intune-profiles" id="intune-profiles"></a>

If you are renewing the Customer-CA or a BYO CA with a different root and FQDN from the previous one then please follow the bellow steps to re-deploy this certificate to your clients, otherwise if you are using a BYO certificate with no change to the CA's root certificate and the FQDN (Subject and SAN), you can skip this step!

1. Deploy the new **server certificate/trusted root** to your clients as described [here](https://docs.radiusaas.com/profile-deployment/jamf-pro/server-trust) by creating a **new** profile.
2. Update your **existing** WiFi or wired profile(s)
   * If you have used the Intune wizard for the creation of your network profiles, edit all relevant profiles by **adding a second trusted server certificate**. Do not forget to add a second server name under **Certificate server names** in case the new certificate has a different domain.
   * If you have used a custom profile for the creation of your network profiles, re-download the XML generated by RADIUSaaS from [here](https://docs.radiusaas.com/admin-portal/settings/trusted-roots#xml), and replace it in your existing profile. Both server certificate thumbprints are automatically included in the XML.
3. Wait **until all your clients** have received the updated profile(s).

<figure><img src="/files/FP3hzXaRPndbNxNBxMTQ" alt=""><figcaption><p>Example: Updated Windows 10 WiFi profile with two trusted RADIUS server certificates and different domains.</p></figcaption></figure>

## WiFi & LAN infrastructure <a href="#wifi-and-lan-infrastructure" id="wifi-and-lan-infrastructure"></a>

If you're using [RadSec](https://docs.radiusaas.com/details#what-is-radsec), upload the new **server certificate** to your access points or network switch device.

## Activating the new server certificate

Finally, when you are ready to switch over to the new certificate, active it as described [here](/admin-portal/settings/settings-server.md#certificate-activation).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.radiusaas.com/configuration/renew-certificate.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.