Server Certificate Renewal

This page describes the renewal process of the RADIUSaaS server certificate without interrupting the connection to the clients.

Before continuing, you need to answer the following questions:

  • Do you want to buy/bring your own certificate (e.g. from SCEPman) or do you want to use the free certificate which your instance can create for you?

  • Are you deploying user- or device client authentication certificates?

We recommend to start the renewal process of the RADIUS server certificate 8 - 10 weeks before it expires.

Reason:

If you are using the legacy self-signed server certificate we used to provide, RADIUSaaS will auto-renew the server certificate 30 days prior to its expiry (Valid until date). If you miss this dead line, you can no longer control the activation of a new RADIUS server certificate.

Part 1

Certificate Creation

  1. Create/upload a new server certificate (download the certificate afterwards as you will need it for the Intune profiles later on).

    • If you would like to use the free certificates that can directly be created from the RADIUSaaS Admin Portal, please create your own CA as described here.

    • If you would like to use your own certificate instead, select PEM encoded Certificate in the Add certificate dialog, select the certificate name and upload the public and private key.

  2. Generate a new XML if you are deploying device certificates as described here.

Intune Profiles

  1. Deploy the new server certificate/trusted root to your clients as described here by creating a new profile.

  2. Update your existing WiFi or wired profile(s)

    • If you have used the Intune Wizard for the creation of your network profile(s), edit all relevant profiles by adding a second trusted server certificate. Do not forget to add a second server name under Certificate server names in case the new certificate has a different domain.

    • If you have used a custom profile for the creation of your network profile(s), re-download the XML generated by RADIUSaaS from here, and replace it in your existing profile. Both server certificate thumbprints are automatically included in the XML.

  3. Wait until all your clients have received the updated profile(s).

Jamf Profiles

  1. Deploy the new server certificate/trusted root to your clients as described here by creating a new profile.

  2. Update your existing WiFi or wired profile(s) by adding a second common name under Trusted Server Certificate Names

  3. Wait until all your clients have received the updated profile(s).

WiFi & LAN infrastructure

This step is only necessary if you're using RadSec.

Upload the new Server certificate to your Access Points or network switch device.

Part 2

We recommend a minimum waiting period of 4 weeks between completing Part 1 and starting with Part 2.

After the updated profiles have successfully been deployed to all your clients (depending on the size of the deployment this may take weeks since some employees might be on holidays), you can take the last step and perform the certificate switch-over in your RADIUSaaS Admin Portal.

Only proceed with the next step if you are certain that all your clients received the new/updated profiles. Otherwise, they will not be able to connect to your network afterwards.

  • Activate the new server certificate as described here.

PreviousUniFiNextHome

Last updated