Migrate from SCEPman Enterprise

If you are currently using SCEPman Enterprise in your own tenant and want to further reduce your infrastructure footprint you might want to consider moving to SCEPman SaaS, a fully integrated CA solution built into RADIUSaaS.

What will change?

What

Changes

Stays the same

SCEPman hosting

Managed by us, no longer in your Azure tenant.

SCEPman URL

New endpoint URLs.

RADIUS server certificate

If you currently use the SCEPman connection or a SCEPman-issued server certificate a new server certificate will be created.

No changes if you use the Customer CA.

Certificate functionality

Certificates work the same way as before.

MDM integration

SCEP certificate profile(s) need to point to new URL and reference a new Root CA certificate.

Overall integration approach remains the same.

End-user experience

No impact, transparent to end-users.

Existing certificates

See migration impact section below.

Valid certificates continue to work.

Pre-Migration Considerations

Features: Some features of SCEPman Enterprise are not available in SCEPman SaaS. Please have a look in our SCEPman Edition Comparison to ensure, that you have all your use-cases covered, before you start the migration.
MDM SCEP profiles: You'll need to update your SCEP profiles to point to the new SCEPman SaaS URL and reference the new Root CA. Plan for how you want to roll this out (all at once vs. phased).
Network Environment: If you are using RadSec, migrating to SCEPman SaaS can mean that the server certificate used for the connection might change.
DNS or firewall rules: If you have any network rules tied to your current SCEPman endpoint, these will need to be updated.

Migration Path

Setup SCEPman SaaS

Follow our dedicated guide on how to enroll:

🆕 SCEPman SaaS

You should be in the following situation after this step:

SCEPman SaaS is enrolled and your devices have received suitable certificates for client authentication to be used with RADIUSaaS (besides the ones issued by your current SCEPman Enterprise deployment).
SCEPman SaaS' CA certificate is trusted by your devices and added to the RADIUSaaS trust store.

Verify Client Configuration

Clients already using RADIUSaaS will require the following adjustments if you want to migrate to SCEPman SaaS :

Ensure they are trusting the SCEPman SaaS Root CA certificate
Adjust the WiFi profile to include (additive to the current SCEPman Enterprise root) the SCEPman SaaS CA certificate for server validation

Caution if you have an existing SCEPman Connection

If you have already setup the SCEPman connection for automatic server certificate management, SCEPman SaaS will take over the connection after the enrollment. This means the server certificate will be from a different issuer after the next certificate rotation.

Ensure that your clients have the SCEPman SaaS CA certificate installed and trust the new CA for server validation in the WiFi profile.

Verify Authenticator Configuration

If you are using RadSec, your RADIUS authenticators (access points, switches, and VPN gateways) will also have to trust the new Root CA certificate to establish a connection to RADIUSaaS.

Ensure that the SCEPman SaaS Root CA has been added here to prevent impact during the cutover of the server certificate.

Please check if your network equipment handles multiple CAs

If your authenticators are not able to trust multiple CAs for the RadSec server validation, changing the server certificate to one issued by SCEPman SaaS will need to happen at the same time as changing the CA trusted for the RadSec authentication as connections will be failing otherwise.

Check for Rules matching Issuer(s)

If you are using rules to filter for specific certificate authorities, client authentications might be rejected when using certificates from SCEPman SaaS if the Any authentication allowed rule is disabled.

Add new rules for the added CA certificate or make sure to modify existing rules to include it:

Frequently Asked Questions

Can I run SCEPman Enterprise and SCEPman SaaS in parallel during the migration phase?

Yes. As long as you have trusted both Root CA certificates for client connection in RADIUSaaS, client certificates from both certification authorities can be used for authentication.

Can I use my existing SCEPman Enterprise Root Certificate for SCEPman SaaS?

While technically possible through Bring your own Key Vault, reusing your existing Root CA certificate is not recommended for the following reasons:

Already issued certificates are only stored in the tenant of the existing SCEPman Enterprise deployment while newly created certificates will be stored within SCEPman SaaS. This can lead to failing validations if components are not able to figure out which CA should be considered for validation
Depending on the deployment location of your Key Vault and your RADIUSaaS instance, added latency is expected during cryptographic operations that require the Root CA certificate

When can I decommission my old SCEPman instance?

Once all certificate use cases of the SCEPman Enterprise instance have been migrated to SCEPman SaaS, you can safely stop the app service. These use cases include but are not limited to:

Client Certificates
Server Certificates
DC Certificates
Certificates for TLS inspection
Code Signing Certificates
S/MIME Certificates

Make sure to monitor the Log Analytics Workspace long enough to verify that no certificate validation or issuance is happening anymore.

Log Management | SCEPmandocs.scepman.com

Last updated 1 minute ago

Was this helpful?

Good afternoon

hashtagWhat will change?

hashtagPre-Migration Considerations

hashtagMigration Path

hashtagSetup SCEPman SaaS

hashtagVerify Client Configuration

hashtagVerify Authenticator Configuration

hashtagCheck for Rules matching Issuer(s)

hashtagFrequently Asked Questions

hashtagCan I run SCEPman Enterprise and SCEPman SaaS in parallel during the migration phase?

hashtagCan I use my existing SCEPman Enterprise Root Certificate for SCEPman SaaS?

hashtagWhen can I decommission my old SCEPman instance?