Renewing SCEPman Root CA

The SCEPman Root CA is valid for 10 years. Once it has expired, SCEPman will need to be re-deployed, as there is currently no method to extend the validity period past 10 years or to renew the existing Root CA.

A redeployment has the advantage that the new Root CA will live up to the security standards (key size, algorithms etc.) that are relevant to that time in the future.

Deploy a secondary SCEPman instance

Use any preferred .

Set up the secondary SCEPman instance as needed

The second instance should be set up identically to your primary instance or in a way that's ready to use.

This may include:

Additional MDM Configurations
Health Checks
Environment Variables
Custom Domains and Geo-redundancy (Save this until after the cutover if you plan to re-use the existing custom domain)
Update Strategy

Set up MDM profiles

MDMs should begin distributing the Root CA and SCEP certificates from the secondary SCEPman instance in parallel to the certificates to the primary instance.

Prepare Systems and Applications

Most systems and applications can be configured to accept multiple Root CAs. The Secondary Root CA should be added now in preparation of the cutover.

Cutover to your Secondary SCEPman

Only begin this step once all endpoint devices have received Root and SCEP certificates from the secondary instance.

MDMs configuration profiles should now point to the Secondary SCEPman instance for cases such as WiFi authentication.

Custom Domain and Geo-Redundancy should be set up now if you are re-using your initial custom domain.

Make adjustments on systems/applications as necessary.

Delete (old) primary SCEPman Instance

Resources related to the old SCEPman Instance can now be removed including:

Azure resources
MDM configuration profiles pointing to the old instance
Root CAs and configurations on systems/applications relevant to the old instance

Last updated 1 month ago

Was this helpful?