search

Server Certificate Renewal

This page describes the renewal process of the RADIUSaaS server certificate.

A server certificate is essential for securing both the EAP-TLS inner tunnel and the RadSec TLS outer tunnel on RADIUSaaS. To prevent authentication failures, ensure to renew your certificate before it expires.

hashtag
Your server certificate can be one of the following two types:

  1. Customer-CAarrow-up-right. This comes with your RADIUSaaS and offers long expiry of 20 years. Currently there is no way to create a new Customer-CA alongside the existing one. This means that the existing expiring Customer-CA will need to be deleted before a new one can be created. Creating a new Customer-CA will also generate a new root certificate that will need to be re-deployed to your clients. Please follow this article to deploy your new Customer-CA and reference it via your MDM's WiFi policy.

  2. Bring Your Own (BYO) certificate using your own PKI, e.g. SCEPman-issued Server Certificatearrow-up-right. SCEPman server certificates expire every two years, so be sure to set a reminder to prevent downtime. When using a BYO certificate, it's assumed that the CA's root certificate and the FQDN (Subject and SAN) will remain unchanged from the expiring certificate. Therefore, redeployment of the certificate is unnecessary.

hashtag
Creating a new certificate

hashtag
Built-in Customer-CA

This type of certificate is valid for 20 years and cannot be renewed before its expiry. It can, however, be deleted and a new one created by following this arrow-up-rightguide.

hashtag
BYO certificate

If you want to use your own certificate e.g.: a SCEPman-issued server certificate, then follow this arrow-up-rightlink to create a server certificate before the expiry in SCEPman or your preferred PKI.

hashtag
Deploying the new server certificate

hashtag
Intune profiles

If you are renewing the Customer-CA or a BYO CA with a different root and FQDN from the previous one then please follow the bellow steps to re-deploy this certificate to your clients, otherwise if you are using a BYO certificate with no change to the CA's root certificate and the FQDN (Subject and SAN), you can skip this step!

  1. Deploy the new server certificate/trusted root to your clients as described herearrow-up-right by creating a new profile.

  2. Update your existing WiFi or wired profile(s)

    • If you have used the Intune wizard for the creation of your network profiles, edit all relevant profiles by adding a second trusted server certificate. Do not forget to add a second server name under Certificate server names in case the new certificate has a different domain.

    • If you have used a custom profile for the creation of your network profiles, re-download the XML generated by RADIUSaaS from herearrow-up-right, and replace it in your existing profile. Both server certificate thumbprints are automatically included in the XML.

  3. Wait until all your clients have received the updated profile(s).

Example: Updated Windows 10 WiFi profile with two trusted RADIUS server certificates and different domains.

hashtag
WiFi & LAN infrastructure

If you're using RadSecarrow-up-right, upload the new server certificate to your access points or network switch device.

hashtag
Activating the new server certificate

Finally, when you are ready to switch over to the new certificate, active it as described here.

Last updated

Was this helpful?