Deploying digital certificates for internal and external use is a growing trend throughout countless industries. Of course, as more people convert to using certificates, they find that using the proper tools to back them up is just as important as having a sufficient certificate strategy.
There are many certificate services vendors, but some organizations have found success using open source tools such as OpenXPKI. Below we’ll evaluate the functions of OpenXPKI and whether it can be used effectively in enterprise environments.
Attributes of OpenXPKI
To begin, when a new customer opts to use OpenXPKI, they are provided tech support and training information, which is much to be said for an open source product. Due to budgetary and time 
constraints, many open source products do not offer such support, but OpenXPKI looks out for those new to using a PKI.
The range of use cases for OpenXPKI is impressive as users have found success in simple, one time operations, such as performance testing, all the way up to full-time enterprise environments. OpenXPKI supports a wide array of customers that need a PKI for varying use cases.
Capabilities of OpenXPKI
Considering the many different use cases, it’s no surprise that OpenXPKI has a variety of functions. There are many functions it does very effectively and backs up its processes with powerful security measures. Below are some of the most commonly used functions of OpenXPKI.
- Detailed reporting of events happening on the network
- Can host multiple Issuing Certificate Authorities (CAs) with overlapping authentication validity
- Seamless replacement of outdated CAs
- Easily integrates with nearly all network infrastructure
- Enables communication with outside functions, such as SQL databases, web services, and LDAP
- Hardware Security Module (HSM) secured
- Provides avenue for manual certificate requests
- Utilize SCEP and EST gateways for certificate distribution
- Can equip smart cards with certificates
- Certificate revocation capabilities and hosts a CRL
Without a doubt, OpenXPKI can do more than most open source technologies. It provides full PKI support and can certainly take your network to the next level with certificate-backed security.
But OpenXPKI is not a wholly realized PKI. There are a few key features that it lacks when compared to other PKI vendors.
Shortcomings of OpenXPKI
One of the most glaring issues that organizations using OpenXPKI must face is the lack of efficient certificate distribution software available. While SCEP and EST gateways are effective in distributing certificates to managed devices, they aren’t appropriate for BYOD or IoT devices. Leaving manual configuration in the hands of the average network user is a recipe for misconfigurations, security vulnerabilities, and IT support tickets.
OpenXPKI provides an avenue for partial configuration of certificates through template-based certificate generation. In this case, users are asked for information such as the hostname and port number, and then OpenXPKI configures the subject and subjectAlternativeName. The result is a partial configuration of a certificate tailored to that particular user’s standing in the organization.
Of course, it does still require the user to complete some of the configuration process manually, which will certainly feel less efficient and more of a headache than credential-based authentication. And the limits of their certificate templates provides a limited scope for certificate customization.
Perhaps the most glaring issue with OpenXPKI is that a PKI is just one piece of the puzzle that enables certificate-based authentication. In order to operate with certificates, a network additionally needs a RADIUS, IDP, certificate management tools, powerful network infrastructure, and more. Additionally, certificates have a wide range of capabilities that can’t be fully realized using OpenXPKI.
If you want to expand into VPN authentication, S/MIME email security, dynamic authentication, enable SSO, and integrate with a wide range of OS, devices, and infrastructure, it will be a struggle with OpenXPKI. To truly upgrade into certificate-based networking and operate with the maximum potential of certificates, an open-source PKI can only take you so far.
Turnkey PKI Alternative
OpenXPKI does provide a wide range of functions for an open source technology, it cannot do everything that other PKIs can do, such as the turnkey PKI provided by SecureW2. Our PKI provides every tool you need to launch a certificate-based network. The JoinNow onboarding solution can effectively distribute certificates to any BYOD, smart cards, IoT devices, and more in a matter of minutes. Or use SCEP gateways to equip managed devices with certificates with no end user interaction.
SecureW2 can configure certificates to be used for a wide variety of functions, like VPN authentication or S/MIME email security. The management portal allows admins to see every certificate on the network in an organized fashion. They can view authentication events, monitor network activity, and troubleshoot any connection issues remotely.
Additionally, SecureW2’s Cloud RADIUS with dynamic identity capabilities is an unmatched tool for certificate authentication. It can perform the basic functions of a RADIUS – ensuring only approved users access the network – but it is also capable of real-time communication with the IDP. This allows for an admin to update a user’s network permissions without replacing any certificates.
As cybersecurity continues to improve its defenses, certificates will grow in popularity. They are an excellent tool that is nigh uncrackable and extremely user friendly – with the right support. Check out SecureW2’s pricing page to see if our PKI solutions can transform your network to work efficiently with certificates.
