Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Running PKI-as-a-Service

Creating and operating a certificate-based network is no simple task. Without a highly knowledgeable staff that is well-versed in certificate management, an organization can get bogged down in integration, configuration, and distribution of X.509 digital certificates.

Without a centralized system for managing the certificates used on your network, it can quickly become overly complex. Some admins choose to use an open-source solution such as Let’s Encrypt, which would require hiring a single person or team to manage all the certificates across the network. Or they may operate with self-signed certificates and end up with a confusing mess of certificates everywhere and a significant risk of not properly replacing expired certificates.

Many organizations that use certificates lack a proper Public Key Infrastructure (PKI) to organize and manage all their certificates. While critical for supporting the infrastructure digital certificates require, a PKI can be difficult to configure without 3rd party support. That’s why running a PKI and managing TLS is increasingly performed as a managed service.

Setting Up PKI-as-a-Service

radius server

The process of converting from a network of disparate internal groups using different certificates to a centralized certificate management system isn’t a one step process. For those unfamiliar with them, digital certificates are a new experience and a completely different form of authentication than they are used to. Here are some general guidelines to follow that can facilitate a smooth transition into a certificate-based network.

https://www.nicepng.com/png/detail/304-3044610_phd-and-master-graduates-transiting-from-academic-into.png

Address All Certificates

The first step before even researching PKI-as-a-service options is to gain control of all certificates on the network. Network admins should require visibility into how all certificates are being used. This will help in defining how PKI certificates are used in the future, and also can escalate alerts of certificates that have expired.

A tool such as SecureW2’s management portal provides visibility of every certificate in use on your network and insight into every authentication event. If any issues arise, admins are able to remote troubleshoot and resolve those issues quickly.

Analyze Network Infrastructure

After organizing the certificate situation, an analysis of current network infrastructure is key. Understanding where your infrastructure will easily integrate with certificates and what will need to be replaced/upgraded can simplify the process of implementing a PKI. Infrastructure key to utilizing certificates include a RADIUS server, certificate management tools, certificate revocation lists, and more.

https://www.blog.invesco.us.com/wp-content/uploads/2019/12/BLOG-Ma-YiChao-Stocksy_2695557.jpg

Define Certificate Use Cases

The last step before choosing a vendor is to define all the places certificates will be used on the network: RADIUS authentication, VPN, S/MIME email security, etc. Once the use cases have identified, admins can begin designing the network and create a defined scope of certificate operations.

Some operations to consider would be how will certificates be distributed? How will they be protected? How will they be managed? How will the certificate templates be populated? And how will they define policy settings for different user groups?

Training Users

After preparing for certificates, defining how they will be used, and selecting a vendor to integrate certificates into the network, it’s important to train the IT team and early adopters before distributing them throughout the organization. These first certificate users are likely the most technologically well-versed and will be looked to for guidance if any individual issues should arise. They can also act as guinea pigs to smooth out any issues and make the transition organization-wide a seamless one.

Assess and Adapt

As with any new technology, it’s important to continually assess the effectiveness of certificates over time and continue to improve how they are used. The only constant is change, and certificates are no exception. If certificates are not actively managed, they can become stagnant and a security liability (see Equifax’s certificate expiration mistake).

Additionally, certificates have an incredibly wide range of uses, and many vendors are able to accommodate additional functions. If an assessment of current certificates shows positive results, you may want to consider expanding certificate functions to something more advanced, such as equipping smart cards like YubiKey with certificates.

Leaderboard

SecureW2 as PKI-as-a-Service

SecureW2 is well-known for providing Certificate Management Solutions (CMS) and allowing organizations to approach certificates with a set-and-forget approach. We provide everything you need to integrate certificates with management tools that simplify the entire certificate experience.

First and foremost, our certificate infrastructure is easily integrated with existing network infrastructure from any major vendor. We provide everything needed to distribute certificates: PKI, RADIUS, management tools, CRL, etc.

Once the PKI is in place, distribution is the next hurdle that some organizations struggle with. SecureW2’s JoinNow solution makes provisioning certificates incredibly simple. Before JoinNow, end users or IT would have to manually configure every device for a certificate. For IT, this is an enormous time sink, and for end users, it’s a difficult process that will doubtlessly lead to misconfigurations.

https://image.winudf.com/v2/image1/Y29tLnNlY3VyZXcyLnBhbGFkaW5fc2NyZWVuXzBfMTU3ODkzMTU2NV8wMjY/screen-0.jpg?fakeurl=1&type=.jpg

The JoinNow client simplifies the process down to a few steps resulting in the user’s device being provisioned with a certificate. Once the process is complete, the user is immediately ready for EAP-TLS authentication to the WPA2-Enterprise network.

SecureW2’s single pane Management Portal also simplifies the PKI/TLS management process considerably. It offers network admins all the tools they need to ensure the certificate-based network operates smoothly. From here, they can view all certificate provisioning, authentication events, and certificate expirations and remotely troubleshoot any issues that might arise.

As mentioned in the final step of setting up PKI-as-a-service, you may assess your initial certificate deployment with SecureW2 and feel comfortable expanding how your certificates are used; SecureW2 can support that expansion. We provide certificates for VPN authentication, S/MIME email security, smartcard/YubiKey certificate provisioning, and much more. SecureW2 is a one-stop solution for a myriad of certificate uses, and our management tools make expanding the capabilities of certificates simple.

Managing a PKI on your own can be a daunting task, so following the above steps to organize your network for certificates can make the transition quick and painless. Certificate management solutions from SecureW2 make certificates a huge boost to the network in terms of ease of authentication, network management, and overall security. Check out SecureW2’s pricing page to see if we can be the PKI-as-a-service you’ve been searching for.

Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

Running PKI-as-a-Service