space.vars.SCEPmanSAAS\_ProductName, a fully integrated CA solution built into RADIUSaaS.
### What will change?
| What | Changes | Stays the same |
|---|---|---|
| SCEPman hosting | Managed by us, no longer in your Azure tenant. | |
| SCEPman URL | New endpoint URLs. | |
| RADIUS server certificate | If you currently use the SCEPman connection or a SCEPman-issued server certificate a new server certificate will be created. | No changes if you use the Customer CA. |
| Certificate functionality | Certificates work the same way as before. | |
| MDM integration | SCEP certificate profile(s) need to point to new URL and reference a new Root CA certificate. | Overall integration approach remains the same. |
| End-user experience | No impact, transparent to end-users. | |
| Existing certificates | See migration impact section below. | Valid certificates continue to work. |
space.vars.SCEPmanSAAS\_ProductName. Please have a look in our [SCEPman Edition Comparison](https://docs.radiusaas.com/details#scepman-edition-comparison) to ensure, that you have all your use-cases covered, before you start the migration.
* **MDM SCEP profiles**: You'll need to update your SCEP profiles to point to the new space.vars.SCEPmanSAAS\_ProductName URL and reference the new Root CA. Plan for how you want to roll this out (all at once vs. phased).
* **Network Environment**: If you are using RadSec, migrating to space.vars.SCEPmanSAAS\_ProductName can mean that the server certificate used for the connection might change.
* **DNS or firewall rules**: If you have any network rules tied to your current SCEPman endpoint, these will need to be updated.
## Migration Path
{% stepper %}
{% step %}
### Setup space.vars.SCEPmanSAAS\_ProductName
Follow our dedicated guide on how to enroll:
{% content-ref url="" %}
[](https://docs.radiusaas.com/configuration/scepman-saas)
{% endcontent-ref %}
You should be in the following situation after this step:
* space.vars.SCEPmanSAAS\_ProductName is enrolled and your devices have received suitable certificates for client authentication to be used with RADIUSaaS (besides the ones issued by your current SCEPman Enterprise deployment).
* space.vars.SCEPmanSAAS\_ProductName' CA certificate is trusted by your devices and added to the RADIUSaaS trust store.
{% endstep %}
{% step %}
### Verify Client Configuration
Clients already using RADIUSaaS will require the following adjustments if you want to migrate to space.vars.SCEPmanSAAS\_ProductName :
* Ensure they are trusting the space.vars.SCEPmanSAAS\_ProductName Root CA certificate
* Adjust the WiFi profile to include (additive to the current SCEPman Enterprise root) the space.vars.SCEPmanSAAS\_ProductName CA certificate for server validation
{% hint style="danger" %}
**Caution if you have an existing** [**SCEPman Connection**](https://docs.radiusaas.com/admin-portal/settings/settings-server#scepman-connection)
If you have already setup the SCEPman connection for automatic server certificate management, space.vars.SCEPmanSAAS\_ProductName will take over the connection after the enrollment. This means the server certificate will be from a different issuer **after the next certificate rotation**.
Ensure that your clients have the space.vars.SCEPmanSAAS\_ProductName CA certificate installed and trust the new CA for server validation in the WiFi profile.
{% endhint %}
{% endstep %}
{% step %}
### Verify Authenticator Configuration
If you are using RadSec, your RADIUS authenticators (access points, switches, and VPN gateways) will also have to trust the new Root CA certificate to establish a connection to RADIUSaaS.
Ensure that the space.vars.SCEPmanSAAS\_ProductName Root CA has been added here to prevent impact during the cutover of the server certificate.
{% hint style="danger" %}
**Please check if your network equipment handles multiple CAs**
If your authenticators are not able to trust multiple CAs for the RadSec server validation, changing the server certificate to one issued by space.vars.SCEPmanSAAS\_ProductName will need to happen at the same time as changing the CA trusted for the RadSec authentication as connections will be failing otherwise.
{% endhint %}
{% endstep %}
{% step %}
### Check for Rules matching Issuer(s)
If you are using rules to filter for specific certificate authorities, client authentications might be rejected when using certificates from space.vars.SCEPmanSAAS\_ProductName if the **Any authentication allowed** rule is disabled.
Add new rules for the added CA certificate or make sure to modify existing rules to include it:
space.vars.SCEPmanSAAS\_ProductName in parallel during the migration phase?
Yes. As long as you have trusted both Root CA certificates for client connection in RADIUSaaS, client certificates from both certification authorities can be used for authentication.
### Can I use my existing SCEPman Enterprise Root Certificate for space.vars.SCEPmanSAAS\_ProductName?
While technically possible through [Bring your own Key Vault](https://docs.radiusaas.com/admin-portal/settings/scepman#scepman-identity-and-keys), reusing your existing Root CA certificate is not recommended for the following reasons:
* Already issued certificates are only stored in the tenant of the existing SCEPman Enterprise deployment while newly created certificates will be stored within space.vars.SCEPmanSAAS\_ProductName. This can lead to failing validations if components are not able to figure out which CA should be considered for validation
* Depending on the deployment location of your Key Vault and your RADIUSaaS instance, added latency is expected during cryptographic operations that require the Root CA certificate
### When can I decommission my old SCEPman instance?
Once all certificate use cases of the SCEPman Enterprise instance have been migrated to space.vars.SCEPmanSAAS\_ProductName, you can safely stop the app service. These use cases include but are not limited to:
* Client Certificates
* Server Certificates
* DC Certificates
* Certificates for TLS inspection
* Code Signing Certificates
* S/MIME Certificates
Make sure to monitor the Log Analytics Workspace long enough to verify that no certificate validation or issuance is happening anymore.
{% embed url="