Skip to main content
Skip table of contents

Troubleshooting: SCEP Certificate Renewal Failure due to Hostname Change

When SCEP certificate is linked to the DNS name of the device, the renaming of the device can lead to certificate renewal failure. This is indicated by the notification: "Renewal of client certificate failed - subject has changed OLDNAME > NEWNAME".


Problem

If DNS name (auto) is selected under Network > SCEP Client (NDES) > Certificate > Type of CommonName/SubjectAltName, the hostname (also known as computer name or terminal name) is used for the SCEP certificate.

When the device gets renamed, the change is ignored for the network authentication and the certificate with the old hostname remains in use by default. This way the network authentication continues to function despite of the mismatch between the certificate with the old hostname and the one with new hostname.

However, when the certificate needs to get renewed, it usually fails because the SCEP server does not hand out a certificate for the new hostname based on the legitimacy of the old certificate.

Solution

To change the configuration:

  1. Go to System > Registry > network.scepclient.cert%.hostname_change_handling

    image-20240612-144812.png


    The default value is Ignore, this is why hostname changes are ignored in network authentication. 

  2. Set the the parameter to Reset.
    As a result, when the hostname changes, any existing certificate gets discarded and the whole SCEP process starts over.

The Reset option is helpful when starting over the whole SCEP process is desired. It will not work when e.g. a fixed challenge password is configured and not valid anymore. So when the hostname is changed carelessly, the Ignore option’s consequences are less severe.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.