Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Managed Cloud PKI as a Service

Move past the frustration of password resets and vulnerabilities with our intuitive, easy-to-use PKI management tools. Our Managed cloud-based PKI as a service provides the foundation for secure and passwordless Wi-Fi, VPN, Single-Sign On, and much more.

We’ve Helped Many Businesses Like Yours

  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand

Public Key Infrastructure FAQs

What are the benefits of a Public Key Infrastructure for my organization?

The ultimate benefit of a private PKI is passwordless, certificate-based authentication. It’s no secret that passwords are a vulnerability, with organizations like Microsoft recommending that you move away from password-based PEAP-MSCHAPv2 to passwordless protocols like EAP-TLS. Digital certificates can be used to secure a range of resources, including your wired & wireless network, VPN, applications, desktop logins, and much more.

Additionally, there are benefits for your end-users. With digital certificates, employees no longer have to deal with frustrating password reset policies and disconnects due to password changes.

Why can’t we just build our own private PKI instead of using a managed PKI?

Many organizations see the benefits of going passwordless, but think that they can reduce the cost of doing so by building their own PKI infrastructure. Unfortunately, this often ends up being a costlier venture in terms of finances and time spent. Building a private PKI requires expertise, space for the servers, and regular maintenance. Additionally, certificate lifecycle management - from issuance to renewal to revocation - is time-consuming.

PKI as a service solutions like our JoinNow Connector PKI can save you the resources you would otherwise spend on building and maintaining your own. What’s more, since our PKI infrastructure is cloud-based, your administrators can access it from anywhere without having to replicate it at every office location.

How does your PKI handle certificate lifecycle management phases, such revocation?

We wouldn’t be able to call it PKI as a Service if we didn’t provide you everything you needed to manage your certificates. For endpoint distribution, we have our automatic gateway APIs for managed devices and our self-service onboarding technology for unmanaged devices/BYODs.

When it comes to revocation, our cloud based PKI can revoke certificates in a few different ways, including manually and through automatic revocation with some MDMs such as Jamf and Intune. Our PKI as a service also includes customizable policies you can create, such as non-utilization, which means certificates that aren’t used for a definable period of time (such as 60 days) are automatically revoked.

How do you handle certificate renewal?

Our PKI makes renewal simple, too. For managed devices, certificate renewal typically happens on an automatic basis a month or two before the certificate’s expiration. For BYODs, administrators can set a customizable notification email to go out to end-users, encouraging them to re-enroll for a certificate before it expires.

What is the passwordless authentication experience like for the end user?

The user experience differs based on whether they are using managed or unmanaged devices/BYODs. For managed devices, the end user will never notice the certificate enrollment process - our PKI as a service includes gateway APIs that will automatically enroll them for a certificate. For BYODs, you can utilize our self-service onboarding technology, which allows end users to configure their devices for private certificates in a matter of minutes.

After enrollment, certificate-based authentication is mostly the same for either type of end-user. They no longer need to remember a plethora of passwords, reset those passwords regularly, or adhere to complex password requirements.

Does your PKI platform provide public or private certificate authorities?

Our PKI allows you to create a private certificate authority only. However, you can create as many private certificate authorities as you need. Our customers commonly build a different certificate authority for different groups of people to enable role-based access control, such as having a separate certificate authority for their HR and DevOps teams. This makes managing certificates for different roles organized and efficient.

Which cryptographic algorithms does your PKI support?

Our best in class PKI supports a range of secure algorithms. Those include RSA 2048 & 4096, as well as ECC P256 & P384.

Can you export the certificate’s private key and use it to authenticate another device?

Public key cryptography requires the use of both public and private keys. While the public key can be sent freely, the private key must be stored securely, and we take key storage seriously as a result. The best way to guarantee your private key won’t be removed from your device is to ensure it is stored in the proper key stores and enclaves and set to non-exportable. To increase security further, we recommend that keys are stored in a device’s Trusted Platform Module (TPM) instead of storing the keys in software.

We use multi-factor authentication (MFA). Isn’t that passwordless already?

While multi-factor authentication is more secure than a simple username and password combination, it’s still the best security available. It’s simply not practical for Wi-Fi and wired security when devices move around to different locations, requiring multiple authentications. The introduction of MFA fatigue attacks, in which hackers spam users with MFA prompts until they just give in and approve them, also puts enterprises at risk. This is why organizations like CISA have recommended certificate-based authentication over MFA for increased security.