Many organizations use digital certificates as a kind of electronic passport. A digital certificate connects a person, device or organization to a public encryption key, allowing the recipient to know who creates or send the data in a trusted way.
Digital certificates are big business. Recent statistics pegged the 2018 global market value of digital certificates at $76.2 million and the market is forecasted to grow about 10% annually to $123.8 million in 2023, according to Research and Markets.
Certificates help secure the identity, privacy and communication between two endpoints, but managing digital certificates can be challenging. One of the biggest drawback is that certificates have built-in expirations that must be managed.
Certain organizations treat certificate authentication as a second-factor authentication on top of the usual user name and passwords. Trust must be managed and digital certificates are the medium of choice for devices; however, setting up and operating a public key infrastructure (PKI) is no simple task.
I often tell customers that they can do away with passwords on devices connected to the network, but why do we want to do away with passwords? Active Directory password expiry policies are normally set to be effective every three to six months, which means that users risk locking themselves out every few months. When we magnify the operational effort for IT to unlock accounts over the entire organization, certificate-based identity management starts to make sense.
With Aruba ClearPass, we can manage the identify management process without the setup of a PKI. Let’s take a look at how this process can be simplified.
Built-in Certificate Authority for BYOD Onboarding
ClearPass has a built-in certificate authority (CA), which empowers IT staff can to easily create and deploy BYOD workflows so that authorized employees and contractors can use their devices on secure networks. ClearPass provides secure logins on Windows, MacOS X, iOS, Ubuntu, Chromebook and Android devices.
The built-in CA runs independently, however, enterprises also can choose to integrate both systems to create a single source of management for the certificates in the environment.
Digital certificates aren't particularly complex from a technical perspective. The certificates are unique as they also include specific user and device context.
Simplified Deployment
Got an mobile device management or enterprise mobility management (MDM/EMM) solution? ClearPass also supports the distribution of onboard-generated certificates requested by third-party applications through Simple Certificate Enrollment Protocol (SCEP) and Enrollment over Secure Transport (EST) protocols (RFC 7030).
If you do not have an MDM/EMM solution, then the process can be offloaded to the users, who perform a one-time self-service provisioning process through a captive portal hosted on ClearPass.
Managing Your Certificates
Duration
The certificate contains "not before" and "not after" fields, which specify how long it is valid. The maximum term of a digital certificate is 27 months – 825 days, to be exact, though most CAs will limit the term to 24 months to help certificate holders avoid short expiration durations.
Enterprises should evaluate internal security policies and decide on a duration that provides a good balance between user convenience and security.
Revocation Through a Self-Service Portal
In the digital age, users change devices as often as clothing. ClearPass has a built-in device self-service portal allows users to mark devices as “lost” and thus invalidating the certificates without seeking help from IT.
Want to learn more? Watch this demo of device onboarding:
