Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices

ACME Solutions

Ensure only trusted, managed devices are allowed access to critical resources by using the ACME Protocol with JoinNow Connector PKI.

Elevate Security with Device Trust

ACME improves upon the legacy SCEP RA process by allowing PKI providers to validate identities with high assurance before issuing certificates. Traditional SCEP implementations only require a pre-shared key for certificate issuance. With ACME, organizations can ensure that only trusted, managed devices obtain and maintain certificates that are used to access critical resources. 

  • Authenticate device’s through your MDM and Apple Servers before issuing certificates
  • Monitor IDPs and MDMs via APIs to revoke access based on inactivity or compliance
  • Improve your Defense-in-Depth by streaming device and security events to SIEM Servers and Security Appliances
Featured Image

Leveraging Apple Managed Device Attestation (MDA)

SecureW2’s ACME service can cryptographically prove a device is a genuine Apple Product, and confirm its Serial Number using Apple Managed Device Attestation (MDA). MDA is what allows JoinNow Connector PKI to validate a device’s identity and cross-reference it with your MDM to ensure only trusted devices can enroll for certificates.

Manage the Entire Certificate Lifecycle

Icon Paragraph BlockEnrollment

Best-in-class enrollment solutions for BYOD and managed devices allows certificate-hardened security on all devices. Auto-enroll or revoke certificates based on real-time User Status. Combined with device monitoring and troubleshooting logs, customers often see a 10-50% drop in Wi-Fi configuration related support tickets after implementing SecureW2.

Icon Paragraph BlockRevocation

When users leave an organization, SecureW2 automatically flags their certificate so it can no longer be used to access the network. Powerful certificate management features allow admins to track and search for devices they want to revoke, and easily add it to the built-in Certificate Revocation List.

Icon Paragraph BlockExpiration

Custom policy generation delivers certificates to varying user roles. Create certificate templates to customize expiration, user access and much more. Automated notifications can be sent at intervals to remind users of upcoming certificate expirations.

Managed Device Auto-Enrollment

NIST has called PKIs integral to Zero Trust Network Access (ZTNA). One of the many reasons why a PKI is a foundational piece of ZTNA is because Certificates can verify a device’s identity. The ability to tie network authentication to a trusted device allows for sophisticated Zero Trust network segmentation, something passwords were never able to do.

That’s why we’ve worked closely over the years with partners like Microsoft and Jamf to design the JoinNow Connector PKI as an integral extension of your Device Management software. Using Industry-Exclusive APIs, Connector can automatically enroll, revoke, and renew certificates to any Intune-Managed devices, all without any IT or User interaction required. JoinNow Connector works with all major MDM vendors (Workspace One, Soti, MobileIron and more) and even your legacy Active Directory infrastructure so you can rest easy knowing your devices are secured.

Featured Image

ACME FAQs

How Does the Certificate Request Process Work with ACME and My MDM?

SecureW2's ACME solution automates an MDM's certificate management to ensure only a trusted device connects to the network. It improves upon the legacy SCEP protocol by validating the user/device before beginning the certificate enrollment process.

SecureW2's ACME service can cryptographically prove a device is a genuine Apple product, and confirm its Serial Number using Apple Managed Device Attestation (MDA). MDA is what allows JoinNow Connector to validate a device's identity and cross-reference it with your MDM to ensure that only trusted devices can enroll for certificates. 

Traditional SCEP implementations only require a pre-shared key for certificate issuance. With ACME, organizations can ensure that only trusted, managed devices obtain and maintain certificates that are used to access critical resources. SecureW2 allows devices, such as macOS, iOS, iPadOS, and tvOS, to enroll for digital certificates via an ACME (Automated Certificate Management Environment) Client Certificate Enrollment token.

How Do We Integrate the ACME CA Server with an MDM (Intune/Jamf)?

Automated Certificate Management Environment (ACME) lets a PKI manage certificates and create a unique set of policies based on the information provided by Apple Managed Device Attestation (MDA). SecureW2’s Managed Gateway API integrates with any mobile device management (MDM) solution, such as Jamf, to distribute the ACME payload through an ACME server and use the managed device attestation to ensure only trusted devices receive a device certificate.

SecureW2 offers certificate-based authentication for Mobile Device Management solutions that auto-enroll managed devices to receive certificates via API gateways. There is an extensive range of APIs for managed devices like SCEP, ACME, JSON, WSTEP, and EST for provisioning and managing certificates on various MDMs like Jamf, Intune, and Google Workspace.

What Role Does Apple’s Secure Enclave Play in the ACME Protocol?

Managed devices generate a key in their secure enclave and provide the required data to the Apple attestation servers to attest their keys. The various factors for attestation are proof that the key is stored in the secure enclave and that the Apple device is authentic and has not been tampered with.

The Secure Enclave on Apple devices houses sensitive data in a secure hardware component. Generally, it stores and manages encryption keys to prevent unauthorized access. However, through Apple's Managed Device Attestation feature, the Apple Secure Enclave is also capable of communicating with Apple’s servers to verify that it’s a genuine Apple device that hasn’t been tampered with. Hardware-bound security features like this provide higher assurance of a device’s authenticity. When using the ACME protocol for certificate issuance, our PKI can now use Apple’s Managed Device Attestation feature and each device’s Secure Enclave to confirm with Apple’s server that a device is genuine before issuing a certificate to it.

How Do I Automate the Renewal of SSL Certificates Using ACME?

Automated Certificate Management Environment (ACME) automates managing certificates to minimize human intervention and reduce the scope for errors. To automate the renewal of SSL certificates through a generic ACME server (not SecureW2), follow these steps:

  1. Install a certificate manager on the web server.
  2. Upon installation, the agent can communicate with the certificate authority to manage certificates.
  3. The agent shares a pair of keys with the CA, who validates the domain and agent authorization.
  4. The agent initiates a Certificate Signing Request (CSR) for the respective domain.
  5. The agent signs the CSR with his private key.
  6. The CSR is verified by the agent who issues a certificate.
  7. Upon receipt, the agent installs the domain certificate.
  8. The renewal agent is configured similarly, automating the process of issuance and renewal without the need for manual intervention.

To set and validate ACME, select an ACME-compatible agent for the domain that needs management. Ensure domain compatibility with the CA to communicate and generate a pair of keys for certificate-based validation. ACME v2 also supports issuing Wildcard SSL/TLS certificates.

 

Do We Need a PKI to Use the ACME Protocol for Certificate Management?

Yes, a Public Key Infrastructure (PKI) streamlines the ACME protocol for certificate management since a PKI provides all the necessary infrastructure to support the generation of certificates.

Digital certificates have proven to be the strongest form of authentication compared to passwords, and you require a PKI in order to issue and managed certificates for a range of use cases, such as SSL certificates or certificates for Wi-Fi access. However, the manual distribution of certificates to devices can get cumbersome and carry the risk of misconfiguration.

The ACME protocol can be used with a PKI to ease the process of distributing SSL and PKI certificates across the organization in an automated manner. It reduces the risk of misconfiguration, as misconfigured certificates risk exposing your network to MITM attacks and leaving it vulnerable to malicious breaches.

Can We Use ACME and SCEP for Certificate Management at the Same Time?

Yes, you can use Simple Certificate Enrollment Protocol (SCEP) and ACME simultaneously as an organization. The Simple Certificate Enrollment Protocol (SCEP) automates certificate issuance by helping managed devices enroll for a certificate through a URL and shared secret to communicate with a PKI. SCEP is widely used in MDMs to push a payload with the URL and the shared secret to their managed devices.

ACME is relatively newer and automates certificate management in MDMs. With ACME, managed Apple devices can automatically ask a CA for a certificate. Apple Managed Device Attestation lets a managed Apple device talk to the Apple server and authenticate itself before it can be issued a digital certificate. Since the use of ACME with MDM’s is in an early stage of adoption, most organization use SCEP for the majority of their devices, and use ACME for select Apple devices that perform critical, high-risk functions.

Can We Use the ACME Protocol for the Windows Operating System?

Yes, the ACME protocol can be used for the Windows Operating system and is not exclusive to Apple devices. An ACME Client can be used for Windows OS and PKI/SSL certificates. However, the administrator has to ensure that the ACME server can connect with the Windows server and be configured to issue a valid client certificate to users and devices.

However, SecureW2’s Managed Gateway API leverages ACME for managed Apple devices only. It performs a managed device attestation with the Apple device attestation servers so that the device can enroll itself for a digital certificate.

For other certificate issuance protocols like SCEP, WSTEP, or SAML, SecureW2’s PKI supports the Windows Operating System, along with all the other major vendors.

Does ACME Automate the Entire Process of Certificate Issuance?

Yes, in general the ACME protocol can automate the entire certificate issuance, renewal, and revocation process. Most solutions achieve this by installing an agent on the server for regular scheduling and maintenance activities. By automating the certificate management process, organizations can reduce the time and manpower needed to maintain certificates regularly. They also reduce the chance of misconfiguration due to manual configuration, leaving your network vulnerable to MITM and hacking attacks. ACME reduces the overall cost of certificate management as it is an open-source protocol.

You should install an ACME agent that generates a CSR for the required domain to automate certificate management with ACME. The agent validates the requisition process, and the CA issues a certificate after verifying the CSR and the domain. Upon receipt, the certificate is installed in the appropriate domain for a seamless authentication experience whenever a device wants to connect to a network and ensuring network security. At the time of writing (07/09/24), SecureW2 does not offer an ACME agent for servers.

Schedule a Demo

Sign up for a quick demonstration and see how SecureW2 can make your organization simpler, faster, and more secure.

Schedule Now

Pricing Information

Our solutions scale to fit you. We have affordable options for organizations of any size. Click here to see our pricing.

Check Pricing