Device certificates

For each device, after the onboarding process, the system creates a client authentication certificate so that users do not need to perform an additional logon for the SCG once they have registered their device. As long as the certificate is valid, users devices automatically connect to their Scout infrastructure via the SCG. Users only log on to Scout with their usual account, for example an AD account.

These certificates are called Device certificates. You can preconfigure their validity and expiration behavior for your SCG instance.1 For further information, see User authentication / Device certificates.

Validity period

The validity period of the device certificates is set to three years by default. It must be 30 days minimum and 5 years (1825 days) maximum. Within this range, you can freely define the validity period. The expiration date (Validity) of each device certificate is derived from the defined validity period. The validity date is set in the following situations:

You can view the validity date of a device certificate at any time in the certificate details under Properties. To do so, click the certificate icon. If a certificate is registered for renewal, you will see the new validity date under Renewal.

Defining a limited validity period without automatic renewal allows you, for example, to make the devices reboot after a certain time.

Automatic renewal

The device certificates can be renewed automatically before they expire.2 This function is not active by default. You can configure it in two variants: With the option Automatically renew before expiration, the system attempts to renew the device certificate seven days before expiration. If the user does not connect with their device within these seven days, the certificate expires. Only if the option Allow renewal of expired certificates is also active, the expired certificate will be renewed automatically on the next device start and contact to the SCG.

Automatic renewal (including expired certificates) allows you to avoid user interaction and the need for on-boarding a second time.

With automatic renewal configured, the following situations result for a device within the four stages shown:

Time |----------------------> |----------------------> |----------------------> |---------------------->
Stage Onboarding 30 days before exp. 7 days before exp. Expiration
for config 1

is renewed
for config 2

is renewed

is renewed

Config 1: Option Automatically renew before expiration is active.
Config 2: Option Allow renewal of expired certificates is additionally active.

After you revoke certain certificates, they will be excluded from automatic renewal.

Manual renewal

By default, device certificates expire automatically. Of course, you can also avoid re-onboarding known devices by renewing the device certificates manually in the Devices view. Again, the certificate icons are displayed in color and allow you to see at a glance whether action is required. Note the following:

Manage device certificates

In the Devices view, administrators may view, revoke or renew the certificates for their devices at any time. The certificates are displayed differently depending on their validity:

Certificate is valid more than 30 days

Certificate will expire in less than 30 days

Certificate has expired

Certificate is not available or has been revoked

The same colors are used for the button to revoke a certificate.

1 Expiration date for the validity of a device certificate
2 View details of a device certificate
3 Revoke certificate of a device
4 Renew or revoke certificates of multiple devices3

The devices must be selected beforehand.

For further information, see Devices view.