Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Using Object Identifiers In PKI Management

Management of a PKI can be a full-time task for an IT team. Ensuring network users are able to authenticate to a secure network, easily maintaining their network identity, providing access to resources they need, and protecting everyone from a plethora of outside attacks is no simple task.

Tools and software aimed at improving the PKI management process should make it easier for admins to identify users, certificates, and policies and implement them properly. Object Identifiers (OID) in PKIs work to organize and identify everything within your PKI to guarantee accuracy in network management.

What Is An Object Identifier?

radius server

An OID is a string of decimal numbers that identify an object. Each object within a PKI will have a unique set of decimals to make them quickly identifiable during processes such as authentication.

An OID can be configured as either a public or private OID. A private OID acts as a boundary for a private PKI, ensuring that outside OIDs are not accidentally recognized and implemented. A public OID allows your PKI to work with other organizations, which is a valid option for some organizations.

Within the PKI there will be a Root OID from which all OIDs are based. The root OID assists to identify the source of various OID and works similar to a Root CA to establish a chain of trust. If an object is being authenticated and does not contain the root OID, it can be quickly identified as an unknown. For example, Adobe OIDs fall under the base arc OID of 1.2.840.113583.

When a new certificate template is created and added to the default template, a new OID is generated to identify it. This allows for precise network segmentation as you can set all policies for different user groups to fall under particular OID groups. A network admin could easily set a group of OIDs to apply to VPN users so they have access to different network resources than their in-office counterparts.

OIDs Organize The Network

A common use for OIDs is to segment network users and apply different roles and use policies to various user groups. This is particularly useful for implementing a Zero Trust security policy. The basis of zero trust is that network users should only have access to resources they require. Simply put, you wouldn’t give teachers and students the same level of access on a school’s secure network.

A highly effective method to apply OIDs is through the use of digital certificates for network authentication. When a certificate is encountered, the user is identified and the software reacts according to the corresponding policies/identifiers that apply to that user’s OIDs.


Leaderboard

OIDs make network segmentation incredibly easy. When a certificate is encountered during authentication, it’s easy to follow the chain of OID to ensure validity and quickly apply needed policies. Additionally, OIDs can be easily edited and configured, allowing for precise network segmentation and prudish access to resources.

SecureW2’s OID Application

When a user configures their device for a certificate without an onboarding service, there are numerous opportunities for misconfiguration. The process is not simple, and many users without a tech background will be confused by the high level IT steps involved.

SecureW2’s JoinNow onboarding solution allows users to self-configure in a manner of minutes and immediately apply OID-based policies to user groups. When a user completes the JoinNow process, they will have identified themselves. Through that identification, JoinNow automatically detects their user group and applies the necessary OIDs to their certificate.

As stated above, these OIDs can be highly specific. Admins can define criteria such as resources available to the user, which applications are open to them, how many certificates they can carry, set parameters for expiration, and more. Because certificates cannot be shared between users like traditional password security, admins know that policies are being applied accurately for every user on the network.

Certificates from SecureW2 can be distributed for a wide array of use cases. Beyond BYOD and managed devices, they can be applied to secure servers, YubiKeys and other smart cards, IoT devices, VPN services, web applications, and others. They are an excellent tool to replace unsecure credentials on the entire network.

Additionally, SecureW2’s Cloud RADIUS allows for industry-exclusive dynamic authentication. This allows for certificate updates to user policies in real-time. Instead of updating a user’s status and replacing every certificate that applies to them, admins can update their identity in the IDP and Cloud RADIUS will communicate with the IDP during authentication and apply those updates.

OIDs are another tool in admins arsenal to apply organization and security in the fight against outside attacks. When it comes to an organization’s secure network, each user should only have access to what they need. OIDs make it easy to provide precise network access without having to edit each individual’s standing. Check out SecureW2’s pricing page to see if our certificate and PKI solutions can fit your organization’s needs.

Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

Using Object Identifiers In PKI Management