Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

The Best Private CA / PKI Service

The use of certificates for network security is rapidly increasing due to their superiority over all other authentication methods. They’re incredibly versatile and can enable authentication customization that far surpasses what is possible with credentials like passwords.

Of course, certificates alone cannot solve an organization’s cybersecurity issues – they must be backed up by a robust PKI and private CA service that can give you the tools to manage the entire certificate lifecycle.

Basics of a Private CA and PKI

radius server

A Public Key Infrastructure (PKI) generates public and private keys that are then used to populate certificates that are generated by Certificate Authorities (CA) within the PKI. Certificates are distributed from here and are used for various purposes depending on the needs of the organization.

There are two primary types of CAs that certificates are issued by: public and private. A private CA typically provides certificates for internal operations and shouldn’t be used for public-facing purposes. A Public CA is the opposite, it’s used for external-facing applications such as enabling HTTPS.

The focus of this article is on the use of certificates from a private CA – so what are some of their most common uses? Organizations often use certificates for secure authentication, such as:

  • Wi-Fi authentication
  • Web applications authentication
  • VPN authentication
  • Or enable an SSO policy

https://images.idgesg.net/images/article/2019/06/email-security_lock_breach_protocol_by-microstockhub-getty-100799018-large.jpg

Some PKI providers can also configure certificates to be used for broader security functions, such as enabling S/MIME email security or equipping smart cards like the YubiKey with a certificate to expand the range of applications they can be used with.

Of course, without support from an experienced PKI provider, enabling these capabilities can be difficult on your own. The best PKI and private CA providers offer tools to simplify the entire certificate lifecycle.

Complete Certificate Lifecycle Management is Key for PKI Services

The most common cause of breaches on certificate-based networks is due to poor certificate management. The measure of a good CA/PKI provider is how thoroughly they manage the full lifecycle of their certificates.

The certificate lifecycle can be broken down into five different stages, and below we will demonstrate how SecureW2 provides comprehensive management tools and setup guides to allow an organization to quickly and easily convert to a certificate-based network security system.

Setup

Our setup guides and personal support enable organizations to set up a functional, if bare bones, network to authenticate certificates within hours if need be. This is the most basic configuration, with advanced settings and customization requiring only another day or two. After the setup process is complete, it’s designed to be set-n-forget and require very little direct maintenance over time.

grayscale photography of man in striped shirt

One of the keys to the rapid setup process is that our certificate solutions integrate with any network infrastructure. SecureW2 provides a vendor neutral solution, making it easy for any organization to switch to certificates. While SecureW2 provides all the tools you need to enable certificates (PKI, RADIUS, CA generation, etc.), if your organization already uses a piece of tech you don’t want to replace, we can work with your existing infrastructure.

Distribution

The most common pain point in transitioning to EAP-TLS for certificate-based authentication is the issue of onboarding users and their devices to the new network.

Where many certificate solutions lag behind (and SecureW2 excels) are the tools made available to equip users and devices with certificates. The JoinNow onboarding solution is a foolproof guided onboarding client that can be completed by users within minutes. The process involves only a few clicks and IDP identity confirmation and results in the user’s device being equipped with a certificate that is immediately ready for authentication.

Once the user has a certificate, they can be authenticated for however long the certificate lifespan is set by the organization. The lifespan is often set for multiple years. As with infrastructure, it is a vendor-neutral solution that can distribute certificates to devices from any major vendors.

PIV-backed smart cards such as YubiKey can also be equipped with certificates to enable desktop logon. The certificates are populated by an organization’s IDP and allow for the most secure form of smart card authentication. Users are able to be authenticated in a completely passwordless process.

Additionally, SecureW2 provides tools that allow for certificate distribution to managed devices. Our SCEP gateways allow admins to configure a certificate payload that is sent to managed devices with no end user interactions. In this process, the end user has no role but can still use managed devices and be securely authenticated. We also created processes to easily deliver certificates to IoT devices, smart cards, RADIUS servers, and more.

Management

The SecureW2 management portal provides numerous management tools and visibility benefits to easily manage every certificate on the network. From here, admins can view who is accessing the network on which devices, as well as oversee authentication events. If an issue should arise for a user, the admin can diagnose the problem and troubleshoot the issue, all remotely.

sticky notes on corkboard

SecureW2’s Cloud RADIUS with dynamic identity lookup capabilities provides unique capabilities for managing certificates. In the past, if a user’s status within an organization changed and they needed new policy settings and permissions, all their certificates would have to be replaced. Cloud RADIUS allows the RADIUS to communicate directly with the IDP. An admin must simply adjust that user’s attributes in the IDP, and when their certificate is authenticated, it will dynamically enforce the new policy rules.

Compared to credentials, certificates are the clear choice for hands-off management. Users never have to remember authentication information because certificates are authenticated automatically when in range of the RADIUS. Furthermore, they eliminate password reset policies that often lead to an influx of IT support tickets.

Expiration/Revocation

SecureW2’s management portal notifies admins of certificate expiration dates, which is extremely important in the case of server certificates. If some certificates expire without notification, it can lead to a massive vulnerability in the network. Certificate expiration without notification was one of the key weaknesses that led to the Equifax leak of 2017.

Of course, sometimes certificates need to be revoked from users before their listed expiration date. SecureW2’s certificate solution optionally provides both a Base and Delta CRL that are updated regularly so no certificate is wrongfully authenticated. The revocation process is simple in the management portal and admins can rest easy knowing that no unauthorized user can gain access to the network.

Leaderboard

Complete Suite of Certificate Services by SecureW2

The primary goal at SecureW2 is to convert your network to authenticate certificates as efficiently and effectively as possible. Certificates are quickly replacing credentials in a myriad of industries because they are simply superior in terms of security and user experience. If our PKI and Private CA can get you users safely and securely authenticated, we have accomplished our goal.

Check out our pricing page to see if our certificate solutions match your organization’s needs.

Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

The Best Private CA / PKI Service