# Renewing SCEPman Root CA The SCEPman Root CA is valid for 10 years. Once it has expired, SCEPman will need to be re-deployed, as there is currently no method to extend the validity period past 10 years or to renew the existing Root CA. A redeployment has the advantage that the new Root CA will live up to the security standards (key size, algorithms etc.) that are relevant to that time in the future. {% stepper %} {% step %} ### Deploy a secondary SCEPman instance Use any preferred [deployment option](/scepman-deployment/deployment-options.md). {% endstep %} {% step %} ### Set up the secondary SCEPman instance as needed The second instance should be set up identically to your primary instance or in a way that's ready to use. This may include: * Additional MDM Configurations * Health Checks * Environment Variables * Custom Domains and Geo-redundancy (Save this until **after** the cutover if you plan to re-use the existing custom domain) * Update Strategy {% endstep %} {% step %} ### Set up MDM profiles MDMs should begin distributing the Root CA and SCEP certificates from the secondary SCEPman instance **in parallel** to the certificates to the primary instance. {% endstep %} {% step %} ### Prepare Systems and Applications Most systems and applications can be configured to accept multiple Root CAs. The Secondary Root CA should be added now in preparation of the cutover. {% endstep %} {% step %} ### Cutover to your Secondary SCEPman *Only begin this step once all endpoint devices have received Root and SCEP certificates from the secondary instance.* MDMs configuration profiles should now point to the Secondary SCEPman instance for cases such as WiFi authentication. Custom Domain and Geo-Redundancy should be set up now if you are re-using your initial custom domain. Make adjustments on systems/applications as necessary. {% endstep %} {% step %} ### Delete (old) primary SCEPman Instance Resources related to the old SCEPman Instance can now be removed including: * Azure resources * MDM configuration profiles pointing to the old instance * Root CAs and configurations on systems/applications relevant to the old instance {% endstep %} {% endstepper %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.scepman.com/other/faqs/renewing-scepman-root-ca.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.