# Server Certificate Renewal
A server certificate is essential for securing both the EAP-TLS inner tunnel and the RadSec TLS outer tunnel on RADIUSaaS. To prevent authentication failures, ensure to renew your certificate before it expires.
### **Your server certificate can be one of the following two types:**
1. [Customer-CA](https://docs.radiusaas.com/admin-portal/settings/settings-server#customer-ca). This comes with your RADIUSaaS and offers long expiry of 20 years. Currently there is no way to create a new Customer-CA alongside the existing one. This means that the existing expiring Customer-CA will need to be deleted before a new one can be created. Creating a new Customer-CA will also generate a new root certificate that will need to be re-deployed to your clients. Please follow [this ](#deploying-the-new-server-certificate)article to deploy your new Customer-CA and reference it via your MDM's WiFi policy.
2. Bring Your Own (BYO) certificate using your own PKI, e.g. [SCEPman-issued Server Certificate](https://docs.radiusaas.com/admin-portal/settings/settings-server#scepman-issued-server-certificate). SCEPman server certificates expire every two years, so be sure to set a reminder to prevent downtime. When using a BYO certificate, it's assumed that the **CA's root certificate** and the **FQDN (Subject and SAN)** will remain unchanged from the expiring certificate. Therefore, redeployment of the certificate is unnecessary.
## Creating a new certificate
### Built-in Customer-CA
This type of certificate is valid for 20 years and cannot be renewed before its expiry. It can, however, be deleted and a new one created by following [this ](https://docs.radiusaas.com/admin-portal/settings/settings-server#customer-ca)guide.
### BYO certificate
If you want to use your own certificate e.g.: a SCEPman-issued server certificate, then follow [this ](https://docs.radiusaas.com/admin-portal/settings/settings-server#bring-your-own-certificate)link to create a server certificate before the expiry in SCEPman or your preferred PKI.
## Deploying the new server certificate
#### Intune profiles
If you are renewing the Customer-CA or a BYO CA with a different root and FQDN from the previous one then please follow the bellow steps to re-deploy this certificate to your clients, otherwise if you are using a BYO certificate with no change to the CA's root certificate and the FQDN (Subject and SAN), you can skip this step!
1. Deploy the new **server certificate/trusted root** to your clients as described [here](https://docs.radiusaas.com/profile-deployment/jamf-pro/server-trust) by creating a **new** profile.
2. Update your **existing** WiFi or wired profile(s)
* If you have used the Intune wizard for the creation of your network profiles, edit all relevant profiles by **adding a second trusted server certificate**. Do not forget to add a second server name under **Certificate server names** in case the new certificate has a different domain.
* If you have used a custom profile for the creation of your network profiles, re-download the XML generated by RADIUSaaS from [here](https://docs.radiusaas.com/admin-portal/settings/trusted-roots#xml), and replace it in your existing profile. Both server certificate thumbprints are automatically included in the XML.
3. Wait **until all your clients** have received the updated profile(s).
Example: Updated Windows 10 WiFi profile with two trusted RADIUS server certificates and different domains.
## WiFi & LAN infrastructure
If you're using [RadSec](https://docs.radiusaas.com/details#what-is-radsec), upload the new **server certificate** to your access points or network switch device.
## Activating the new server certificate
Finally, when you are ready to switch over to the new certificate, active it as described [here](https://docs.radiusaas.com/admin-portal/settings/settings-server#certificate-activation).
