Using X.509 digital certificates for authentication is an immediate and significant upgrade to credential (password) authentication, but it requires proper support infrastructure.
Certificate Lifecycle Management systems (CLM/CLMS), also called Certificate Management Systems (CMS), provide that support. They allow admins to manage every part of the lifecycle for an individual certificate while maintaining a broader perspective on the state of the network.
Organizations considering deploying digital certificates should be sure to include a certificate lifecycle management solution to provide a strong foundation for their WPA2-Enterprise network.
Stages of a Digital Certificate Lifecycle
Depending on who you ask, there are anywhere from three to six stages in the certificate lifecycle but the difference is mostly semantic. Here are the important bits:
Certificate Enrollment is the first step. A user or device requests a certificate from the certificate authority (CA) which confirms their identity and generates the certificate.
Certificate Distribution is the process of securely sending a digital certificate from the CA to the requesting client. This typically requires an onboarding solution to streamline device configuration and secure communications.
Certificate Validation is the “active” part of the certificate lifecycle. During certificate validation, the RADIUS server checks if the certificate is still within its validity period and confirms that it has not been revoked and placed on the certificate revocation list (CRL).
Certificate Revocation is self-explanatory. If an admin manually revokes a certificate it is placed on the CRL and the RADIUS will not authenticate it. Certificates that have exceeded their validity period are considered “expired” and are not placed on the CRL.
We talk about the certificate lifecycle stages in more depth here.
Why is Certificate Lifecycle Management Necessary?
Digital certificates are built upon public key cryptography – a type of asymmetric cryptography in which both parties have half of a public-private key pair and use their half to encrypt communications that can only be decrypted by the holder of the second half.
This type of cryptography is far superior to the hash cryptography typically employed by credential-based systems, but it requires more in the way of setup. Its asymmetrical nature requires the two parties to establish secure communications (usually through the mutual trust of a certificate authority) in order to provision the public-private key pair.
In order to deploy certificates you need a public key infrastructure (PKI). On-premise PKIs are expensive and take weeks to set up. In contrast, there are managed cloud-based PKIs like the one SecureW2 offers that can be configured and deployed in hours.
But the most important tool for managing the certificate lifecycle is a robust certificate management system (CMS) that allows you to view, manage, and customize every aspect of the process. The SecureW2 CMS has an intuitive single-pane management interface with AI-driven anomaly detection and reporting so that there’s always an eye on your network.
Certificate Lifecycle Management for SSL/TLS Certificates
Certificate lifecycle management is now more important than ever. Apple made the unilateral decision to only trust SSL and TLS certificates with a validity period under 398 days (a year plus a month for buffering certificate renewals), despite the industry consensus to reject the proposal.
This regulation went into effect on September 1, 2020 – though it only impacts newly issued certificates. Existing certificates will be grandfathered in. You can expect the average validity period for all certificates, not just SSL/TLS, to begin to decrease from the current averages of 2-5 years. Teams will likely opt to renew all their certificates at the same time rather than have constant, rolling certificate management tickets.
The result of this industry trend, shorter certificate lifecycles, is overall beneficial. There’s no question that it’s more secure to replace certificates more frequently, though there is also an argument to be made that it’s not necessary. Either way, it’s still an improvement from the 90-day password replacement policies.
Best Certificate Lifecycle Management Solution
Proper management of certificates is important because, without it, they have a tendency to get “lost”. Certificates that slip through the cracks may expire, be revoked, be stolen, or be otherwise compromised and still be able to interact with your network in an unregulated manner.
Don’t let the effectiveness of your 802.1X authentication be compromised by poor certificate management. SecureW2 has affordable CMS solutions for organizations of all sizes. Click here to see our pricing.
