EAP-TLS certificate renewal

Renew EAP-TLS Client and Server certificate Authorities

This guide outlines the necessary steps for renewing Client and/or Server Certificate Authorities (CAs) in the EAP-TLS configuration. These steps are critical when certificates are nearing expiration to maintain uninterrupted services.

Renewing the Client CA

  1. Navigate to the Foxpass console's EAP-TLS page.
  2. Click on the “Create New CA” button under the section labeled “Client Certificate Authorities.”
Create new Client CA

Create new Client CA

  1. A new Client CA will be created. Click 'Ok'.
Client CA created

Client CA created

  1. Wait about 10 minutes for this new Client CA to be available on our RADIUS servers.
  2. Go to the SCEP page.
Click the blue button

Click the blue button

  1. Edit the SCEP endpoint(s) that should begin using this new Client CA. The last option on the modal is the Client CA that will be used for this SCEP endpoint. Click 'Submit' button.
Edit the SCEP endpoint

Edit the SCEP endpoint

SCEP endpoint with new Client CA

SCEP endpoint with new Client CA

  1. Look at your MDM's SCEP configuration profile. If it makes reference to the Client CA, then download your new Client CA and replace what's there with the new downloaded one.
  2. Do not delete the old CA until after it has expired OR you are sure all devices have received a certificate using the new CA; if you delete it early all of the certificates that it has signed will immediately become invalid.

Renewing Server Certificates

  1. Navigate to the Foxpass console's EAP-TLS page.
  2. Find the newest Server CA
  3. Click on the 'Create Certificate' button.
Create Certificate

Create Certificate

Certificate created

Certificate created

Renewing Server CA Certificates

  1. Navigate to the Foxpass console's EAP-TLS page.
  2. Click on “Create New Server CA” under the section labeled "Server Certificate Authorities".
Create new Server CA

Create new Server CA

  1. A new Server CA will be created. Click 'Ok'.
Server CA created

Server CA created

  1. Click on the 'Create Certificate' button.

    Create Certificate

    Create Certificate

    Certificate created

    Certificate created

  2. Download the new Server CA.

  3. Upload the new Server CA to your MDM.

  4. Modify the MDM's WiFi configuration profile to trust both the existing Server CA and the new one.

  5. Wait until the MDM profile has been pushed to all devices.

  6. Click on 'Set as Active' button in Foxpass.

Mark Server CA as active

Mark Server CA as active

Click Ok

Click Ok

CA marked as active

CA marked as active