> For the complete documentation index, see [llms.txt](https://docs.scepman.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.scepman.com/other/faqs/renewing-scepman-root-ca.md). # Renewing SCEPman Root CA The SCEPman Root CA is valid for 10 years. Once it has expired, SCEPman will need to be re-deployed, as there is currently no method to extend the validity period past 10 years or to renew the existing Root CA. A redeployment has the advantage that the new Root CA will live up to the security standards (key size, algorithms etc.) that are relevant to that time in the future. {% stepper %} {% step %} ### Deploy a secondary SCEPman instance Use any preferred [deployment option](/scepman-deployment/deployment-options.md). {% endstep %} {% step %} ### Set up the secondary SCEPman instance as needed The second instance should be set up identically to your primary instance or in a way that's ready to use. This may include: * Additional MDM Configurations * Health Checks * Environment Variables * Custom Domains and Geo-redundancy (Save this until **after** the cutover if you plan to re-use the existing custom domain) * Update Strategy {% endstep %} {% step %} ### Set up MDM profiles MDMs should begin distributing the Root CA and SCEP certificates from the secondary SCEPman instance **in parallel** to the certificates to the primary instance. {% endstep %} {% step %} ### Prepare Systems and Applications Most systems and applications can be configured to accept multiple Root CAs. The Secondary Root CA should be added now in preparation of the cutover. {% endstep %} {% step %} ### Cutover to your Secondary SCEPman *Only begin this step once all endpoint devices have received Root and SCEP certificates from the secondary instance.* MDMs configuration profiles should now point to the Secondary SCEPman instance for cases such as WiFi authentication. Custom Domain and Geo-Redundancy should be set up now if you are re-using your initial custom domain. Make adjustments on systems/applications as necessary. {% endstep %} {% step %} ### Delete (old) primary SCEPman Instance Resources related to the old SCEPman Instance can now be removed including: * Azure resources * MDM configuration profiles pointing to the old instance * Root CAs and configurations on systems/applications relevant to the old instance {% endstep %} {% endstepper %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.scepman.com/other/faqs/renewing-scepman-root-ca.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.