Troubleshooting: SCEP Certificate Renewal Failure due to Hostname Change
When SCEP certificate is linked to the DNS name of the device, the renaming of the device can lead to certificate renewal failure. This is indicated by the notification: "Renewal of client certificate failed - subject has changed OLDNAME > NEWNAME
".
Problem
If DNS name (auto) is selected under Network > SCEP Client (NDES) > Certificate > Type of CommonName/SubjectAltName, the hostname (also known as computer name or terminal name) is used for the SCEP certificate.
When the device gets renamed, the change is ignored for the network authentication and the certificate with the old hostname remains in use by default. This way the network authentication continues to function despite of the mismatch between the certificate with the old hostname and the one with new hostname.
However, when the certificate needs to get renewed, it usually fails because the SCEP server does not hand out a certificate for the new hostname based on the legitimacy of the old certificate.
Solution
To change the configuration:
Go to System > Registry > network.scepclient.cert%.hostname_change_handling
The default value is Ignore, this is why hostname changes are ignored in network authentication.Set the the parameter to Reset.
As a result, when the hostname changes, any existing certificate gets discarded and the whole SCEP process starts over.
The Reset option is helpful when starting over the whole SCEP process is desired. It will not work when e.g. a fixed challenge password is configured and not valid anymore. So when the hostname is changed carelessly, the Ignore option’s consequences are less severe.