Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

What is a AWS Private CA?

Private certificate authorities (CA), also known as enterprise CAs, are CAs specifically meant for internal use. They are self-hosted and therefore not trusted externally. The usual use cases come from larger organizations or universities that need secure communication for their network or applications.

With the average number of certificates an organization needs to manage growing from 43 percent in a 2020 study over the previous year, a pivotal requirement for enterprises is now a certificate management system. SecureW2’s Managed PKI is turnkey and gives admins everything they need for certificate management. Learn from one of our customers how easy it was to get set up with SecureW2.

There are several different options you have when deciding to build a private CA. One solution, AWS Certificate Manager (ACM), comes from Amazon. In this article, we’re going to look at what ACM allows you to do and what areas it may fall short in.

 

What Is ACM Private CA?

ACM allows you to create private CA hierarchies with root and delta CAs without having to operate and maintain expensive on-premise servers. They take advantage of AWS-managed hardware security modules (HSMs), removing the operational and cost burden from customers.

An ACM private CA can issue identifying X.509 certificates to authenticate users, computers, API endpoints, and IoT devices. The most common usage of ACM comes from customers who are already advanced PKI users and understand the technical side of CA management. ACM simply doesn’t provide the average customer with everything they need to run a secure PKI for network authentication.

 

Issues With ACM Private CA For Network Authentication

There are many other things you need besides a CA to get network authentication working effectively. Here are some major components that you will need to work concurrently with ACM to get a PKI ready for network authentication.

RADIUS Server Setup For Certificate Authentication

One important component missing from ACM is a RADIUS server. Users with a certificate signed by their private CA can only connect to a network and be authenticated with a RADIUS server configured for EAP-TLS. Each time the user connects, the RADIUS confirms they have the correct certificate or credentials and prevents any unapproved users from accessing the network.

Organizations can choose to use an on-premise or Cloud RADIUS, with the industry-standard leaning towards the more cost-efficient latter.

SecureW2’s JoinNow solution comes built-in with a world-class Cloud RADIUS server, providing powerful, policy-driven 802.1x authentication. Backed by the same AWS security as ACM, it delivers high availability, consistent and quality connections, and requires no physical installation.

 

A Method Of Certificate Enrollment

While ACM provides a method of creating private CAs, it doesn’t provide a way to efficiently distribute certificates to managed devices.

Consider the fact that an organization may have thousands of different devices, each with its own different method for enrollment. Manually distributing certificates to each device is simply not a plausible solution.

A solution to this inefficiency would be to automatically distribute network settings with a secure certificate to each device. This is possible through SecureW2’s SCEP Gateway APIs. These Gateways can easily be pushed out via all MDMs so managed devices can automatically enroll themselves for certificates. SecureW2 works with all APs and RADIUS servers, so if you have the means, you can strengthen your current infrastructure by combining it with our PKI.

SecureW2 also has a solution for BYOD environments; the JoinNow Suite will allow end-users to self-enroll for certificates in just a few clicks. SecureW2 has spent years developing best-in-class tools with the end-user in mind to make connecting devices for secure wireless a breeze.

 

Certificate Management With SecureW2

ACM is a solution for experienced PKI specialists who already know how to create a functional certificate environment. They simply don’t offer the necessary parts for a fully functional certificate-based network.

SecureW2 provides everything you need to support an EAP-TLS network that can issue and validate certificates. Our Cloud RADIUS doesn’t need any additional hardware and comes fully equipped. It even has a dynamic policy engine that allows it to be the only cloud RADIUS that can directly reference cloud identity providers like Google, Azure, and Okta.

In addition, SecureW2 simplifies integration because it works with any IDP and allows you to use existing credentials to issue certificates. Our #1 rated JoinNow onboarding software makes enrolling for certificates a breeze no matter the environment. Check out our pricing page to see how we can help your organization.

 

Key Takeaways:
  • While ACM provides a framework for a PKI they simply doesn’t provide the average customer with everything they need to run a secure PKI for network authentication.
  • ACM does not provide a RADIUS server.
  • SecureW2 provides everything you need to support an EAP-TLS network that can issue and validate certificates.
Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

What is a AWS Private CA?