Certificate Lifecycle Management & Automation Platform

Most Certificate Lifecycle Management solutions are designed to work with an existing Public Key Infrastructure (PKI), usually Active Directory Certificate Services, and provides a simple framework for automation with a Graphical User Interface (GUI).

The JoinNow Connector PKI rethinks Certificate Management by providing a platform that is designed to be an extension of an organization’s existing identity infrastructure. It constantly communicates with cloud identities like Azure, Okta, Intune, and Jamf so a user or device only has a valid certificate if it is still active, has the right permissions, or is compliant. This ensures that no systems have expired certificates when they shouldn’t, uncompliant devices or inactive users can’t access sensitive data, and your organization remains secure.

The benefit of Certificate Management Systems, and using a digital certificate for authentication in general, is enabling passwordless authentication with the use of digital certificates, which greatly improves an organization’s security. It’s no secret that passwords are a vulnerability, with organizations like Microsoft recommending that you move away from password-based PEAP-MSCHAPv2 to passwordless protocols like EAP-TLS. Digital certificates can be used to secure a range of resources, including your wired & wireless network, VPN, applications, desktop logins, and much more. Additionally, there are benefits for your end-users. With digital certificates, employees no longer have to deal with frustrating password reset policies and disconnects due to password changes.

A Certificate Lifecycle Management Solution with good automation capabilities makes sure that digital certificates remain in the hands of devices/users that deserve them, and are constantly using an array of data sources to automate certificate management with real-time data. It only takes one expired certificate, just like credentials, to break into a system. This is how the Equifax breach happened. A modern certificate management system prevents expired certificate issues like web servers going down, SSL / TLS certificates failing to encrypt traffic.

Many organizations see the benefits of going passwordless, but think that they can reduce the cost of doing so by building their own PKI infrastructure. Unfortunately, this often ends up being a costlier venture in terms of finances and time spent. Building a PKI requires expertise, space for the servers, and regular maintenance. Additionally, certificate management - from issuance to renewal to revocation - is time-consuming.

Certificate Management solutions like our JoinNow Connector PKI can save you the resources you would otherwise spend on building and maintaining your own. What’s more, since our PKI infrastructure is cloud-based, your administrators can access it from anywhere without having to replicate it at every office location. On average, the JoinNow Connector PKI’s total cost of ownership is less than ⅓ of your standard AD CS implementation.

When it comes to revocation, our cloud-based PKI can revoke certificates in a few different ways. Certificate revocation can be achieved manually through our certificate management portal, and through automatic revocation with some MDMs such as Jamf and Intune. Our PKI as a service also includes customizable policies you can create, such as non-utilization, which means certificates that aren’t used for a definable period of time (such as 60 days) are automatically revoked.

When certificates are revoked, they are added to a Certificate Revocation List (CRL). Each CA that is created in the JoinNow Connector PKI contains a Base Certificate Revocation List and a Delta Certificate Revocation List, which allows servers to quickly receive certificate revocation updates in a computing-efficient fashion.

All private keys are stored in hardware, never in software or sent over the air. Many certificate lifecycle solutions take shortcuts and install certificates in software. This leads to easily compromised certificates, causing more security issues than they solve.

With our JoinNow MultiOS Onboarding software, unmanaged devices will generate the have their private key configured as non-exportable, further increasing security. After the private key is generated, MultiOS will send the Certificate Request and device information to the JoinNow Connector PKI, which will use that to create the Certificate and Public Key for the device to go along with the private key.

Our PKI makes renewal simple, too. For managed devices, certificate renewal typically happens on an automatic basis a month or two before the certificate’s expiration. For BYODs, administrators can set a customizable notification email to go out to end-users at a customizable time interval before the certificate is set to expire, encouraging them to renew their certificate before it is set to expire.

Our PKI allows you to create a private certificate authority (CA) only. JoinNow Connector PKI was designed to be used for internal applications, like Application Security and Wi-Fi, so a private certificate authority is the best solution. So it is not a publicly trusted CA, like the Public Key Infrastructures that create SSL certificates for web browsing.

However, you can create as many private CAs as you need. Our customers commonly build multiple CAs for different groups of people to enable role-based access control, such as having multiple CAs for their HR and DevOps teams. It’s also very easy to create both root CAs and Intermediate CAs as well.