Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

A Guide To Build A PKI Certificate Authority

Key Points
  • A PKI manages a digital certificate with CAs and a CRL. Certificates originate from a chain of trust, i.e., a root CA and an intermediate CA that issues user and device certificates.
  • It is possible to create your PKI without external help, but that could lead to network misconfiguration. Misconfigured certificates in a network do more harm than good, as they can leave your network vulnerable to MITM and brute-force attacks.
  • A managed PKI like our JoinNow Connector PKI provides an automated certificate management platform, so you can provision all your end users and devices with digital certificates and authenticate them safely to the network.

What is a Certificate Authority?

Quote Banner RADIUS and PKI

A certificate authority (CA) is an entity that distributes digital certificates. A digital certificate certifies the ownership of a public key by tying it cryptographically to the subject it is administered to. Certificate authorities are essential for running a PKI and thus essential for having a truly secure network.

SecureW2 Cloud PKI service allows you to create CAs and distribute certificates with ease. It’s also cheaper than on-premise alternatives as maintaining a cloud PKI costs ⅓ of the price of an on-prem PKI. (see how we helped one of our customers here.)

It’s important to note that there are different types of CAs: a public CA and a private/PKI CA. While they are both certificate authorities, they have different use cases.

In this article, we will highlight when to use a PKI CA and how to go about creating one.

 

Why Use A PKI Certificate Authority?

A PKI CA, also known as Enterprise CA, is a self-hosted certificate authority usually meant for internal use only. They are most commonly used by large companies or universities and for applications such as Wi-Fi, VPN, or Web Application authentication.

The main benefit that comes from using a PKI CA is that it limits trust to devices within a given organization. This reduces the potential for a breach because fewer devices create fewer access points for security breaches.

To enhance your security further, you can set policies that will help reinforce your network against would-be attackers.

Another benefit comes from needing to issue a high volume of certificates, either because your organization is large or you are planning on reissuing certificates frequently. It is usually much cheaper to run your own CA rather than pay for every certificate issued by a public CA.

PKI CAs can also be significantly more secure than their public counterparts. Where a public CA hands out certificates to anyone who pays, private CAs restrict their certificates to specific people or devices (usually those within the organization).

 

Generating PKI Certificate Authorities Without A Service

It is possible to create a private certificate authority without soliciting help from outside services, but the process isn’t as straightforward as one would hope. It also differs depending on which operating system you are using. For example, for macOS:

 

  1. Open a Command Console
  2. Enter openssl genrsa -des3 -out myCA.key 2048
  3. When prompted, enter your passphrase
  4. Generate a Root CA by entering openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
  5. Enter in answers regarding Name, Location, State, Organization, etc.

The easy stuff is done, now you have to install your Root CA on the devices in your network. To add the Root CA for a macOS:

  1. Open the macOS Keychain app
  2. Go to File > Import Items…
  3. Select your root certificate file
  4. Search for whatever your CA name
  5. Double click on your root certificate in the list
  6. Expand the Trust section
  7. Change the When using this certificate: select box to “Always Trust”
  8. Close the certificate window
  9. Enter your password

While the actual generation of root CA seems simple enough, the challenge comes from installing the root to all the devices in your network. For an enterprise company, this could mean thousands of devices need to be manually fitted for certificates. This solution also offers no mechanisms for certificate revocation and management. With the average number of certificates an organization manages growing 43 percent in 2020, this simply isn’t a cost-effective solution for larger companies.

Luckily, SecureW2 offers an alternative solution that you can use to create and deploy a private CA in minutes. SecureW2’s system also comes with a full suite of management options that allow you to fully control your network.

 

Managing Your PKI CAs and Client Certificates

SecureW2’s Managed PKI solution simplifies the way you manage your CAs. We provide you with an easy-to-use graphical interface that allows you to view and manage your certificates. You can see when a certificate was issued, what device it’s attached to, and even revoke the certificate with a push of a button.

Each certificate you revoke will be added to a Certificate Revocation List (CRL) that was automatically generated with SecureW2. This gives you complete managerial control of your certificates.

SecureW2 also offers industry-exclusive Identity Lookup with LDAP & SAML Identity Providers, allowing our Dynamic Cloud RADIUS server to look up the identity of a user in real-time during the authentication process. You can create policies and issue custom templates based on user groups that have been established in your directory. This is a huge departure from the traditional RADIUS which simply confirmed the legitimacy of a certificate. Now it’s much easier to enforce group policy and user segmentation without having to go through the usual certificate management cycle.

 

An Easy PKI Solution

The JoinNow solution from SecureW2 comes with a powerful certificate enrollment gateway enabling MDMs (Workspace One, JAMF, Intune, MobileIron, etc.) to push out configuration profiles that will allow devices to auto-enroll for certificates. In one fell swoop, all your managed devices will be set up for certificate-based authentication to Wi-Fi, Web Apps, VPN, and more.

If you’re working in a BYOD environment, SecureW2 offers a #1 rated onboarding client that enables easy WPA2-Enterprise self-configuration. JoinNow was built with the end-user experience in mind and is carefully crafted to make the onboarding process as simple and painless as possible. The simple, easy-to-follow prompts make getting configured and connected to secure wireless a snap.

IT organizations that want to take advantage of PIV technology are also in luck with SecureW2. Configuring YubiKeys for certificates is simple with SecureW2. With just a few clicks in our world-class management portal, you can create a custom client that will configure your Yubikey for certificate enrollment.

SecureW2 offers a complete package with everything you need to run a powerful PKI. This includes a PKI CA custom-tailored to your needs. Check out our PKI solutions page to see how we can help your organization stay safe and secure.

 

Key Takeaways:
  • It is possible to create a private certificate authority without soliciting help from outside services, but the process isn’t straightforward.
  • SecureW2 gives you all the tools you need to run your own PKI.
Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

A Guide To Build A PKI Certificate Authority