EAP-TLS certificate renewal
Renew EAP-TLS Client and Server certificate Authorities
This guide outlines the necessary steps for renewing Client and/or Server Certificate Authorities (CAs) in the EAP-TLS configuration. These steps are critical when certificates are nearing expiration to maintain uninterrupted services.
Renewing the Client CA
- Navigate to the Foxpass console's EAP-TLS page.
- Click on the “Create New CA” button under the section labeled “Client Certificate Authorities.”
![Create new Client CA](https://files.readme.io/abf4560-Screenshot_2024-03-21_at_4.56.42_PM.png)
Create new Client CA
- A new Client CA will be created. Click 'Ok'.
![](https://files.readme.io/c5a1598-Screenshot_2024-07-02_at_10.16.03_AM.png)
![Client CA created](https://files.readme.io/7ec0274-Screenshot_2024-07-02_at_10.28.42_AM.png)
Client CA created
- Wait about 10 minutes for this new Client CA to be available on our RADIUS servers.
- Go to the SCEP page.
![Click the blue button](https://files.readme.io/2104bf4-Screenshot_2024-07-02_at_10.20.21_AM.png)
Click the blue button
- Edit the SCEP endpoint(s) that should begin using this new Client CA. The last option on the modal is the Client CA that will be used for this SCEP endpoint. Click 'Submit' button.
![Edit the SCEP endpoint](https://files.readme.io/6e1c21c-Screenshot_2024-07-02_at_10.26.05_AM.png)
Edit the SCEP endpoint
![](https://files.readme.io/032058b-Screenshot_2024-07-02_at_10.30.08_AM.png)
![SCEP endpoint with new Client CA](https://files.readme.io/8e83e39-Screenshot_2024-07-02_at_10.31.31_AM.png)
SCEP endpoint with new Client CA
- Do not delete the old CA until after it has expired OR you are sure all devices have received a certificate using the new CA; if you delete it early all of the certificates that it has signed will immediately become invalid.
Renewing Server Certificates
- Navigate to the Foxpass console's EAP-TLS page.
- Find the newest Server CA
- Click on the 'Create Certificate' button.
![Create Certificate](https://files.readme.io/4da7b8f-image.png)
Create Certificate
![Certificate created](https://files.readme.io/c06c17a-Screenshot_2024-03-21_at_5.10.51_PM.png)
Certificate created
Renewing Server CA Certificates
- Navigate to the Foxpass console's EAP-TLS page.
- Click on “Create New Server CA” under the section labeled "Server Certificate Authorities".
![Create new Server CA](https://files.readme.io/fcd9dd0-Screenshot_2024-03-21_at_5.03.15_PM.png)
Create new Server CA
- A new Server CA will be created. Click 'Ok'.
![Server CA created](https://files.readme.io/b3f4372-Screenshot_2024-03-21_at_5.04.51_PM.png)
Server CA created
-
Click on the 'Create Certificate' button.
Create Certificate
Certificate created
-
Click on 'Set as Active' button.
![Mark Server CA as active](https://files.readme.io/c28549a-Screenshot_2024-03-21_at_5.11.37_PM.png)
Mark Server CA as active
![Click Ok](https://files.readme.io/586b0cf-Screenshot_2024-03-21_at_5.13.11_PM.png)
Click Ok
![CA marked as active](https://files.readme.io/ec0e80a-Screenshot_2024-03-21_at_5.13.22_PM.png)
CA marked as active
Additional Steps for MDM Environments
If you are using a Mobile Device Management (MDM) solution such as Intune / Apple Configurator / JAMF / Chromebook etc., you will have to replace the existing client CA in your profile with the new one. However, you should add (not replace) the new server CA to your existing profile.
Timely renewal of Client and Server CA certificates is essential for the security and functionality of your EAP-TLS setup. Make sure to follow the steps as soon as you receive an email from Foxpass that certificates are nearing their expiration date.
Updated 25 days ago