LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
      • Scenarios
        • Certificate-based Network Authentication
        • Certificate-based Authentication for Entra ID
        • Certificate-based Authentication for RDP
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • TLS Inspection (Sub CA) Certificate
      • Code Signing Certificate
      • Device Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
      • cleverbridge
    • FAQs
      • General
      • Certificate Connector
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page

Was this helpful?

  1. Other
  2. FAQs

Renewing SCEPman Root CA

Last updated 1 month ago

Was this helpful?

The SCEPman Root CA is valid for 10 years. Once it has expired, SCEPman will need to be re-deployed, as there is currently no method to extend the validity period past 10 years or to renew the existing Root CA.

A redeployment has the advantage that the new Root CA will live up to the security standards (key size, algorithms etc.) that are relevant to that time in the future.

1

Deploy a secondary SCEPman instance

Use any preferred .

2

Set up the secondary SCEPman instance as needed

The second instance should be set up identically to your primary instance or in a way that's ready to use.

This may include:

  • Additional MDM Configurations

  • Health Checks

  • Environment Variables

  • Custom Domains and Geo-redundancy (Save this until after the cutover if you plan to re-use the existing custom domain)

  • Update Strategy

3

Set up MDM profiles

MDMs should begin distributing the Root CA and SCEP certificates from the secondary SCEPman instance in parallel to the certificates to the primary instance.

4

Prepare Systems and Applications

Most systems and applications can be configured to accept multiple Root CAs. The Secondary Root CA should be added now in preparation of the cutover.

5

Cutover to your Secondary SCEPman

Only begin this step once all endpoint devices have received Root and SCEP certificates from the secondary instance.

MDMs configuration profiles should now point to the Secondary SCEPman instance for cases such as WiFi authentication.

Custom Domain and Geo-Redundancy should be set up now if you are re-using your initial custom domain.

Make adjustments on systems/applications as necessary.

6

Delete (old) primary SCEPman Instance

Resources related to the old SCEPman Instance can now be removed including:

  • Azure resources

  • MDM configuration profiles pointing to the old instance

  • Root CAs and configurations on systems/applications relevant to the old instance

deployment option