Device certificates
For each device, after the onboarding process, the system creates a client authentication certificate so that users do not need to perform an additional logon for the SCG once they have registered their device. As long as the certificate is valid, users devices automatically connect to their Scout infrastructure via the SCG. Users only log on to Scout with their usual account, for example an AD account.
These certificates are called Device certificates. You can preconfigure their validity and expiration behavior for your SCG instance.1 For further information, see User authentication / Device certificates.
Validity period
The validity period of the device certificates is set to three years by default. It must be 30 days minimum and 5 years (1825 days) maximum. Within this range, you can freely define the validity period. The expiration date (Validity) of each device certificate is derived from the defined validity period. The validity date is set in the following situations:
-
When a device is on-boarded
-
On automatic renewal of a device certificate (if configured)
-
On manual renewal of a device
You can view the validity date of a device certificate at any time in the certificate details under Properties. To do so, click the certificate icon. If a certificate is registered for renewal, you will see the new validity date under Renewal.
Defining a limited validity period without automatic renewal allows you, for example, to make the devices reboot after a certain time.
Automatic renewal
The device certificates can be renewed automatically before they expire.2 This function is not active by default. You can configure it in two variants: With the option Automatically renew before expiration, the system attempts to renew the device certificate seven days before expiration. If the user does not connect with their device within these seven days, the certificate expires. Only if the option Allow renewal of expired certificates is also active, the expired certificate will be renewed automatically on the next device start and contact to the SCG.
Automatic renewal (including expired certificates) allows you to avoid user interaction and the need for on-boarding a second time.
With automatic renewal configured, the following situations result for a device within the four stages shown:
| Time | |----------------------> | |----------------------> | |----------------------> | |----------------------> |
|---|---|---|---|---|
| Stage | Onboarding | 30 days before exp. | 7 days before exp. | Expiration |
| Icon |
|
|
|
|
| Authentication for config 1 |
✓ |
✓ | ✓ Certificate is renewed |
X |
| Authentication for config 2 |
✓ |
✓ |
✓ Certificate is renewed |
✓ Certificate is renewed |
Config 1: Option Automatically renew before expiration is active.
Config 2: Option Allow renewal of expired certificates is additionally active.
After you revoke certain certificates, they will be excluded from automatic renewal.
Manual renewal
By default, device certificates expire automatically. Of course, you can also avoid re-onboarding known devices by renewing the device certificates manually in the Devices view. Again, the certificate icons are displayed in color and allow you to see at a glance whether action is required. Note the following:
-
When you set a manual renewal, the validity of the relevant certificates is extended by the validity period defined in Configuration > User authentification. The new date is displayed in the certificate details under Renewal. The Devices view still shows the original date, but the color of the certificate icon changes to blue.
-
After you set a renewal, the certificates of the relevant devices will be renewed on their next contact to the SCG. After that, the new validity date is displayed in the Devices view.
-
A device that users log on with after the manually defined expiration date (for example because the mobile/home device has not been used for a long time) is denied. Either the device needs to be on-boarded again or the admin needs to renew the certificate manually.
Manage device certificates
In the Devices view, administrators may view, revoke or renew the certificates for their devices at any time. The certificates are displayed differently depending on their validity:
Certificate is valid more than 30 days
Certificate will expire in less than 30 days
Certificate has expired
Certificate is not available or has been revoked
The same colors are used for the button to revoke a certificate.
|
|
-
To select either individual or all devices, use the selection column on the left side of the table.
For further information, see Devices view.
Contact
