The Four Stages of a Certificate Life Cycle

Eytan Raphaely Education

The Four Stages of a Certificate Life Cycle

Digital certificates are electronic credentials that are used to authenticate the identities of individuals or devices using a particular network. It’s helpful to think of certificates with a similar functionality as a passport or driver’s license. While these official documents are issued and confirmed by governments to authenticate an identity, a digital certificate is issued and confirmed by a certificate authority (CA) to authenticate an identity .

Passwords rely on words or phrases created by the user, but certificates utilize public-private key encryption to encrypt information sent over-the-air and are authenticated with EAP-TLS, the most secure authentication protocol. Certificates offer far more advantages to IT departments and users alike, as they are easier to use and far more secure than credential based authentication.

However, even certificates are not valid forever.They go through a life cycle that is heavily influenced by an organization’s preferences. While there is some variation, generally speaking the four stages of a certificate are:

  1. Certificate Enrollment
  2. Certificate Distribution
  3. Certificate Validation
  4. Certificate Revocation


Certificate Enrollment

The first phase of the certificate cycle typically begins with a user, device, or machine requesting a certificate from a CA. The request contains a public key and other enrollment information. Once a request for the certificate is received, the CA verifies the information given based on an established set of rules that were set in advance. If the information is legitimate the CA creates the certificate and sends an identifying certificate to the requesting party.

Certificate Distribution

Certificate distribution occurs when the CA distributes the certificate to the user. This is considered a separate process because it might require management intervention from the CA. During this stage, the CA sets policies that affect the use of the certificate.

Often, enterprises are concerned about the difficulties of securely distributing certificates to every device in their organization, that’s where software such as SecureW2’s can come in handy. SecureW2’s JoinNow suite can configure and push an auto-enrollment payload to every device to streamline the distribution of certificates and allow for easy management of all of them. Learn more here.

Certificate Validation

When a certificate is used, the certificates current status is checked in order to verify that it is still valid. During this process, the CA checks the certificate revocation list (CRL) on the RADIUS server, this is a list of certificates that have been revoked by the CA that issued them before they were set to expire. This is a helpful security feature if a device is stolen that contains a certificate or if an employee’s permissions change (if they were promoted or left the company, for example). A RADIUS server only rejects a connection request from a device if the device’s certificate serial number is contained in the CRL.

Certificate Revocation

The last stage of a certificate lifecycle comes either when a certificate expires or when an administrator revokes the certificate prior to expiry date.  When one of these conditions are met, the CA automatically adds that certificate to the CRL, which instructs the RADIUS to no longer authenticate that certificate..

Using SecureW2’s management portal network administrators can set their own policies for CRL updates, change the time interval, or manually push updates efficiently and easily.


Certificates Reduce Wi-Fi Related Issues

Credential-based networks are an outdated solution to the ever-growing threat of cyber thieves. Certificates offer far more advantages to an IT department and to users as they are simpler to use and eliminate human-based errors.

A certificate-based network can alleviate the burden of support tickets from IT, keep an organization’s data more secure, and allow an end user to logon to the network easily and securely.

SecureW2 offers organizations of any size a solution to password-based issues with an easy switch to certificate based network authentication. For more information about our cost-effective solution, check out our pricing page.


Learn About This Author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.