Public Key Infrastructure (PKI) and Digital Certificates

are a Must for Secure Authorization.

Public Key Infrastructure (PKI)

PKI is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificatesPKI enables the creation of a trusted environment which businesses may conduct trade through the Internet.  A digital certificate and the infrastructure under which the digital certificate is issued provides the information and structure needed to:

  • Minimize fraud by authenticating the identity of people via the Internet
  • Provide privacy of messages by minimizing the risk that they can be read in transit, or by anyone, other than the intended recipient
  • Assure the integrity of electronic communications by minimizing the risk of the being altered or tampered with in transit without the recipient being aware
  • Provide non-repudiation of transactions so that people cannot deny involvement in a valid electronic transaction

PKI is vital for secure private remote authentication over public networks and using PKI allows users to access company information securely.

primekey-png2016

PKI (public key infrastructure) supports the distribution and identification of public encryption keys which enables users and computers to securely exchange data over networks, including the Internet, while verifying the identity of the receiving party.

PrimeKey offers turnkey solutions that make PKI convenient while saving resources, increasing quality to minimize PKI project risks, predict costs and simplify installation and maintenance of PKI or Digital Signing Solutions.

C2 Company is proud to be PrimeKey's Premier Authorized US Partner.

PK-Appliance

 

icon_genius-Blue   PrimeKey EJBCA Enterprise is a flexible, software-based, solution that can provide protection to virtually any area of technology.

icon_lock_alt-Orange   The PrimeKey Appliance, with EJBCA is a packaged PKI-in-a-box concept that offers the easiest and most secure way to deploy an enterprise PKI system without the great complexity of an elaborate installation and integration process.

icon_globe-2Red   PrimeKey EJBCA OCSP Validation Authority (VA) is an entity that provides services used to validate certificates.

icon_globe_alt-Blue   PrimeKey VA Appliance offers a standalone, turn-key solution for operating OCSP and CRL based VA services.

icon_pencil-edit_alt-Yellow   PrimeKey Code Signing Appliance is all that is needed to handle enterprise code signing needs.

icon_pencil-edit-Green   PrimeKey SignServer Enterprise Digital Signatures give maximum control and security to conveniently sign code and documents.

PrimeKey
EJBCA Enterprise Edition

icon_genius-Blue

EJBCA Enterprise:

The One Stop Shop for Enterprise PKI.”  EJBCA Enterprise can be implemented as an easy-to-use turn-key PKI product, or can be implemented as a custom solution.  EJBCA Enterprise provides full control for managing secure digital communication and is bundled with support.  EJBCA Enterprise PKI Certificate Authority (CA) is an open source IT-security software for Certificate Issuance and Certificate Management.

Adobe-PDF-Document-icon-ThumbNail

PrimeKey Appliance

icon_lock_alt-Orange

The PrimeKey PKI Appliance is the best choice for most medium and large sized deployments, as well as “cloud” and “Internet of Things” (IoT) deployments.  The packaged PKI-in-a-box concept provides the easiest and most secure way to deploy an enterprise PKI system, without difficulty and inconvenience of elaborate installations or integrations.

The PrimeKey PKI Appliance is combined with the secure PrimeKey Enterprise software technology stack, and enterprise-grade hardware, including Hardware Security Modules (HSM).  All the benefits of EJBCA and SignServer can be achieved with a single PrimeKey PKI Appliance deployment, resulting in the capability to govern multiple CAs and Document Signers, reducing the need for several dedicated hardware units.

Adobe-PDF-Document-icon-ThumbNail

EJBCA Validation Authority (VA)

icon_globe-2Red

PrimeKey EJBCA Validation Authority (VA) uses the EJBCA OCSP Responder – PrimeKey’s high performance and scalable Validation Server, is based upon the OCSP standard.  PrimeKey’s EJBCA VA is capable of providing real time certificate validation.

The PrimeKey EJBCA VA uses a relational database as back-end storage, allowing EJBCA OCSP to immediately update certificate information upon certificate revocation.  One can even issue millions of inactive certificates that can later on be activated – something virtually impossible using traditional methods.

Based on the same Java EE platform as EJBCA PKI, the OCSP responder features the same platform independence, flexibility and robustness as EJBCA PKI, and supports the leading HSMs allowing for easy and reliable clustering.

Adobe-PDF-Document-icon-ThumbNail

VA Appliance

icon_globe_alt-Blue

The PrimeKey VA Appliance is based on EJBCA Enterprise and high-performance server hardware, including a FIPS 140-2 level 3 HSM, and offers a perfect fit for every organization's requirements.

The PrimeKey VA Appliance provides all the components needed for a successful deployment and operation of a Validation Authority.  It includes a complete OCSP responder, serving an unlimited number of Certification Authorities (CAs) and a CRL and CA certificate download service.  An integrated HSM brings enterprise-grade security for cryptographic keys.

Easy and effective management is the key to a secure and reliable deployment.  PrimeKey VA Appliance offers a web based interface including all functions needed for easy deployment and effective operation.  Backup & Restore procedures can easily be triggered automatically and complex upgrades are usually done within minutes.

Adobe-PDF-Document-icon-ThumbNail

Code Signing Appliance

icon_pencil-edit_alt-Yellow

PrimeKey Code Signing Appliance minimizes the number of certificates, and offers the easiest and most secure way to perform code signing within an organization.  PrimeKey Code Signing Appliance is a SignServer-in-a-box able to combine SignServer Enterprise software with a secure technology stack and enterprise-grade hardware, including a Hardware Security Module (HSM).

In a single deployment of the Appliance you get all the benefits of SignServer Enterprise, yet are able to govern multiple Code Signing needs, thus reducing any need for several, dedicated units.

Adobe-PDF-Document-icon-ThumbNail

SignServer Enterprise

icon_pencil-edit-Green

PrimeKey SignServer Enterprise is server-side digital signature software used to sign any digital document, and more.  SignServer Enterprise provides:

  • High performance and high availability
  • Operates on behalf of business applications
  • Is designed to perform automated signatures (and other cryptographic operations on digital documents)
  • Is easy to adapt to customer specific needs
  • Can be used as a time stamp unit, accompanied with a Time Stamp Authority (TSA)
  • Generates digital signatures for use with PDFs

Adobe-PDF-Document-icon-ThumbNail

 

"Probably the best PKI in the World"

PRIMEKEY PRODUCT GUIDE:

Product NameDigital CertificatesDigital Signatures
EJBCA Enterprise*
EJBCA VA*
VA Appliance*
PKI Appliance**
Code Signing Appliance*
SignServer Enterprise*

PrimeKey

PKI Use Cases

RSA Certificate Manager Migration Services

Problem

RSA Certificate Manager has reached its end of life and will soon reach end of support. The good news is that C2 Company are experts when it comes to PKI. We have migrated, both large and small enterprises, from RSA Certificate Manager (RSA CM) to PrimeKey PKI Appliances and EJBCA Enterprise. PrimeKey Appliances offer a hardened, hardware-based, turnkey solution that can perform all the basic and advanced features that the RSA CM product performed.

Solution

The PrimeKey Appliance includes Certificate Authority (CA) functionality to issue certificates. C2 Company can migrate all the certificates that are in your Certificate Manager database over to the PrimeKey solution. We can also utilize the CA private keys in your current HSM to be used with PrimeKey products. EJBCA supports the import of an external root and subordinate certificate authorities, allowing for dedicated issuance services when/if needed. A real strength of EJBCA is that it can run multiple CAs. Multiple PKI hierarchies with multiple associated CAs are also possible, each with its own administrator group. Not only will you achieve centralized and streamlined management, but also a reduction in resource needs.

PrimeKey also offers a full web based Registration Authority (RA) that delivers a better self-service user experience. The RA services in the PrimeKey Appliance and EJBCA Enterprise Edition are accessible through a browser interface, allowing you to be flexible in the way your RA administrators perform their work functions. This includes a better vetting process, approvals and delegation. EJBCA implements a variety of security protocols that deliver automated RA functions. If a specialized and integrated RA is needed, that is tied to your business processes, EJBCA will allow you to use a Web Services Application Plugin (WSAPI) to have subscribers or customers register as a part of the business process. This allows for the automation and integration with many custom and third party products.

With the PrimeKey Appliance and EJBCA Enterprise, the certificate validation is handled either through CRLs or online validation (OCSP). Both services run from your EJBCA deployment, and you can naturally publish revocation information to other distribution points. For situations where the validation service needs to be placed in a separate network, additional nodes can run exclusively as a Validation Authority (VA).

C2 Company can migrate all the SCEP integrations with your existing RSA CM implementation. PrimeKey continuously adds new features to EJBCA, including support for various protocols that make use of CA services. Our customers integrate EJBCA in all types of businesses - financial institutions, cloud providers, telecom operators, and government institutions.

Since the use cases for PKI deployments are so vast, they always vary in complexity. The migration process starts with C2 Company’s consulting services performing an assessment of your existing PKI implementation. Once this is complete C2 Company will architect a solution for your organization’s needs, and plan a path for migration. Let C2 Company do the heavy lifting while you benefit from our years of PKI expertise.

Migrating Away From SHA-1

SHA stands for Secure Hashing Algorithm.  Its sole purpose is to produce irreversible and unique hashes of data.  SHA-1 and SHA-2 are two different versions of the SHA algorithm.  SHA2 is a family of hashes with the most popular being SHA-256.  SHA-1 was largely in use from 2011 to 2015 and been reevaluated due to the amount of collisions it has had.  A collision happens when the hash used to create the signature for the data is no longer unique.  This is dangerous since this allows two separate files to produce the same signature allowing an attacker to use a malicious file in place of a trusted one.  Given this, it has been determined SHA-1 is no longer secure.

SHA-256 uses far more combinations to calculate the hashes.  This makes it so the chance for a collision is far less.  Eventually, every hashing algorithm produces a collision.  The question is how easy is it to do so?  SHA-1 was deemed insecure due to its calculated possibility to produce a collision.  On Feb 23rd, 2017, Google Security Produced the first SHA-1 collision.  This is significant and emphases the need for organizations to move from SHA-1 to SHA-2.

In many cases using SHA-1 is a compliance violation and requires organizations to remediate the findings or invoke a risk exception process.  This is critical in public facing applications that are secured with SHA-1.  It essentially allows an attacker to pretend to be a legitimate user or asset by crafting a collision.  The attacker could then use the collision to deceive systems that rely on hashes into accepting a malicious file.  This can also include man in the middle attacks or code-signing malicious binaries.

Most browsers will no longer show a valid certificate (Green Padlock) with it encounters a SHA-1 certificate.  It will show the same icon as an untrusted certificate.

Example of SHA-1 Cert in a Browser.

Industry researchers are continually analyzing SHA-2 for weaknesses and trying to determine the probability for a collision.  Not only is the current likelihood of a collision extremely low, but for the foreseeable future it’s nearly impossible.  This is directly proportional to computer processing power in mining systems and how expensive it is to procure.  The more processing power that can be used to crack the hash, the more likelihood of its success is.  The current time required to crack a SHA-2 hashed piece of data is in the trillions upon trillions of years timeframe.  Add in real world things like password timeouts after unsuccessful login attempts or Salts and the amount of time gets unconscionable.   One noteworthy data point, the life expectancy of the sun (5B years) is less than it would take to crack a SHA-256 hashed password with current computer hardware.

SHA-3 (another family of hashes) is the suspected successor to SHA-2 and is still being vetted and researched to determine its feasibility in its usage.  Currently, there is not much software that supports SHA-3.  One of the reasons for this is that the SHA-3 hash was just established as a standard in 2015.  As time goes on there will be some movement towards SHA-3, but this is a long way out.  The reason for this is because SHA-2 is still widely accepted as secure and compatible with most systems, and will be for many years to come.

PrimeKey Enterprise PKI and C2 Company can help you migrate away from SHA-1 certificates and keys.  The PrimeKey Appliance is a packaged PKI-in-a-box that offers the easiest and most secure way to deploy and Enterprise Grade PKI system.  The PrimeKey Appliance takes the hassles out of an elaborate installation process and makes tasks like HA, backups and integration far easier than other solutions.

By delivering strongly on security, performance and simplified maintenance, PrimeKey PKI Appliance empowers your security team to focus on aspects more directly beneficial to your business — the core certificate lifecycle, code and documents themselves.  Let us be your experts in the migration away from SHA-1, so you can continue to grow your core business.

The Internet of Things and PrimeKey PKI

The Internet of Things (IoT) is defined as "the ever-growing network of physical objects that feature an IP address for internet connectivity and any other communication that occurs between those objects and any other internet-enabled devices and systems".  In short, this equates to most devices you see and touch daily.  Your phone, car, internet connected thermostat, webcam, appliances, household lights, alarm systems, speaker systems, and more.

In many cases these devices don’t even have an IP address.  GPS receivers, Bluetooth and some wireless devices like phones that utilize SIM cards don't use a standard IP address to communicate.  They communicate on a protocol level with the service provider.  These are examples where a digital certificate can guarantee a data connection is valid and secure.

Individuals generally use IoT devices for their intended purpose such as a smartphone, smart home, or speaker system.  Vendors can leverage IoT devices in more sophisticated ways and are getting increasingly more creative. One way is to perform service calls.  For example, to have an appliance call for service automatically when it has a self-diagnostic problem.  Another example is in the medical industry, where hospitals use "Smart Beds" which can notify hospital staff when a patient is attempting to get out of bed.  IoT is changing the way people and vendors utilize devices and products.

This poses a huge problem with regards to trust within IoT environments.  Trust is when there is confidence the person, system or device will behave exactly as expected.  Trust it's software, drivers, data or configuration has not been altered or tampered with in any way.  PKI helps since it's the best technology that exists for securing messages, data and identities across open networksPKI is used to authenticate, encrypt and sign devices as well as their firmware at the time of manufacture so the vendor is sure in their integrity.  PKI is critical for vendors since it ensures devices can communicate back to the vendor securely.

The scale of IoT usually means that there is no possibility of user interaction.  For this to be achievable, a device needs to be able to securely authenticate and communicatePrimeKey Enterprise PKI can solve these needs allowing developers to get the functionality and security they are looking for.  PKI is an open standard for interoperability that can adapt to different use cases across disparate protocols and platforms.  PrimeKey Enterprise PKI is the best of breed.

While the IoT device is in development, it is the proper time to address security measures.   Addressing it at development allows manufacturers to embed the certificate during the production process allowing a full, secure chain of custody for the device.  Utilizing PKI matches well with IoT because of how flexible the subject parameters can be in certificates to identify a device.  This helps vendors assign certificates to devices in nearly any way they desire.  Also, if placing a unique certificate on each device is not desired, a single key and certificate can be embedded onto a device at manufacture to make them all consistent.  If revocation needs to be done, a single revocation disables all devices with that certificate.

The PrimeKey EJBCA Web Service Application Program Interface (WS API) allows developers to get the integration they need to interface with their systems.  Customizing the development and delivery has been done with several of our existing customers and their IoT deployments.  From cellular modules to wireless access points to automobiles, C2 Company has enabled several organizations to deliver their mission critical IoT devices in a secure manner leveraging the WS API module in PrimeKey products.  We are confident you will find that there is no better solution to secure your IoT deployment than with PrimeKey PKI.

The Internet of Things is massive and only getting bigger each year.  With its increased size, the threat with regards to security also increases.  Each of these devices are going to need certificates and many today do not utilize them.  Paying for a certificate for each of these devices is not economicalPKI is often thought of as a way to authenticate websites and encrypt data.  It does this very well, but is capable of so much more.  PrimeKey Enterprise PKI has been allowing this and securing network connected devices for years and its scalability and flexibility matches IoT perfectly.

Leveraging PrimeKey PKI and Network Access Control

Network Authentication solutions usually contain RADIUS servers that provide AAA (Access, Authorization, Accounting) management to a network.  Often, they utilize an internal CA (PKI) to assist with this.  Leveraging the integrated CA in these solutions can allow them to perform basic functions, but limits IT administrator's ability to securely scale and protect their organizations with the advantages that a full Enterprise PKI system can offer.  The internal PKI on these systems are solving one specific use case for the product which they are servicing.  This can cause disjointed ownership of systems and multiple systems that are managing certificates.  This can also put certificate issuance in the control of departments such as network or MDM teams which do not generally control Identity and Access Management (IAM).

Implementing 802.1x-based access control as part of a broader Enterprise PKI deployment is a core feature of what NAC solutions do.  Most recent switch models from major vendors, such as Cisco and HP, allow you to configure port-based access control using 802.1x.  Since certificate distribution is tightly controlled by Active Directory (AD) or an accompanying MDM software, this ensures that only actively managed, secure, policy enforced systems are obtaining certificates and accessing the network.

Typical NAC Implementation

PrimeKey appliances and EJBCA Enterprise integrate seamlessly with NAC solutions such as ISE, ClearPass and Counteract to provide Enterprise class PKI.  When leveraging a full enterprise class PKI system outside of these NAC solutions, it gives the benefit of utilizing the Enterprise PKI system for other functions such as VPN Authentication (IPSec or Client), document signing, Single Sign On, MDM, Email, WAN connectivity, systems automation, as well as securing their entire organization of cloud, social, or Internet of Things (IoT) systems.  This ensures that the RADIUS servers and the clients are performing mutual TLS auth directly for enterprise grade security while maintaining centralized, administrative control of certificate issuance.

Leveraging PrimeKey PKI is significantly more secure than passwords and far easier to manage than a token environment.  When utilizing tokens, its generally required to have another enterprise software solution to manage the tokens which takes a considerable amount of overhead.  The tokens themselves can be in the form of either physical or soft tokens, but both require some kind of device, a mobile phone or FOB, that needs to be provisioned.  This headache can be mitigated by checking for the existence of a certificate that is automatically deployed to managed devices and/or people that the organization trusts.   In the event a certificate needs to be revoked, an automated process can be implemented to update OCSP Responders, that perform Certificate Validation, to ensure real-time revocation information is available to all enterprise systems.

Whether using ClearPass, ISE, Counteract or another NAC solution, utilizing PrimeKey PKI can enhance these deployments in many ways.  PrimeKey Enterprise PKI and C2 Company can help you scope and implement your NAC deployment.  The PrimeKey Appliance is a packaged PKI-in-a-box that offers the easiest and most secure way to deploy an Enterprise grade PKI system.  The PrimeKey Appliance takes the hassles out of an elaborate installation process and makes tasks like HA, backups and integration far easier than other solutions.

By delivering strongly on security, performance and simplified maintenance, PrimeKey PKI Appliance empowers your security team to focus on aspects more directly beneficial to your business — the core certificate lifecycle, code and documents themselves.  Let us be your NAC experts, so you can continue to grow your core business.

Improving Single Sign On with PrimeKey PKI

Single Sign On Without PKI

Single Sign On (SSO), leveraging a simple username and password to access multiple systems, is convenient but poses a securityrisk for enterprises.  If an SSO password is compromised, that gives an attacker access to a significant portion of an enterprises corporate resources.  Usernames and passwords are still the  most common access criteria in today's environments and have been in place for decades.  Compliance is driving the adoption of longer passwords, increasing the complexity, while creating a headache for end users, as well as the support staff, who need to maintain them.

When a single password is used to access a significant portion of an organizations resources, this poses a huge threat to IT teams.  Phishing scams are on the rise and are getting increasingly sophisticated, further compounding this threat.  Evolution in technology is also driving real change in the need for increased security.  No longer are traditional passwords acceptable, but addressing these gaps is challenging.  It often requires a change of deeply ingrained user behavior around authentication.

When leveraging PKI and digital certificates in combination with a username/password, credential loss is far less of a problem.  Organizations are significantly less exposed to sophisticated and targeted phishing attacks.  Running an internal Certificate Authority (CA) allows internal services to be configured to only accept connections from clients that have the certificate's installed that come from the enterprise's own CA chain.  This provides a second factor of authentication (2FA) and makes it significantly more difficult for an attacker to impersonate a genuine user.  In most cases, this second factor of authentication is in place and the users are unaware of its existence creating a seamless, secure experience.

SSO with PrimeKey PKI and Client Authentication

Another significant benefit is being able to secure cloud applications without having to make a directory infrastructure accessible to them.  Securing applications with a PKI system allows for the application to only be accessed by clients that have the proper client certificate installed.  PrimeKey appliances and EJBCA Enterprise integrate seamlessly with Enterprise SSO solutions such as Duo, Okta or PingFed.  When leveraging a full Enterprise class PKI system outside of these SSO solutions, it gives the benefit of utilizing the PKI system for other functions such as VPN Authentication (IPSec or Client), document signing, NAC, MDM, Email, WAN connectivity, systems automation, as well as securing their entire organization of cloud, social, or Internet of Things (IoT) systems.  This ensures that clients are less prone to phishing leaving the organization far less exposed to attacks.

 

How PrimeKey PKI Can Help with Client and WAN VPN Connections

When leveraging certificates with VPN, we commonly refer to two different scenarios.  User VPN and IPSec VPN.  User VPN, allowing users to remotely enter a network, can be tightly secured with PKI.  Some organizations are getting comfortable with doing away with passwords altogether when it comes to VPN and moving towards a "passwordless" IT infrastructure.  This is similar functionally to what organizations are doing for Wireless networks.  Some organizations that are not as comfortable with this and are choosing to check clients for certificates as a second form of authentication (2FA) in addition to a password.

Whether adding a second form of authentication or doing a

Typical User VPN Scenario

way with passwords, using PrimeKey Enterprise PKI with VPN solutions is an ideal choice for external user connections.  This allows IT departments to ensure remote access is coming from a client that is an official, corporate managed device that obtained a certificate as part of its provisioning process.  IT environments can also use certificate checking as a second factor after a one-time password (OTP) for enhanced security.  Utilizing OTP with certificate checking gives customers who want less reliance on passwords the increased security they desire.

The second scenario we commonly refer to is site to site VPN, or IPSec VPN, that is used to connect two sites together with a dedicated tunnel.  Often, this is secured with a Pre-Shared Key (PSK) or self-signed certificate by the firewall or router.  Should this PSK get compromised by an attacker, significant risk is placed on the organization.  Placing certificates on devices allows device to device communications to be established in a trusted manner.  Using an Enterprise Class PKI significantly helps with Dynamic Multipoint VPN (DMVPN) since its traditionally used in large scale deployments.  DMVPN allows a network to exchange data between sites without going through an organizations headquarter VPN server.  PKI allows for a centralized point of management, rather than having devices spread throughout the organization utilizing self-signed certificates.

Point to point VPN also gets difficult to manage in sites where there are many endpoint VPN connections.  Since PSKs are tied to an IP address, configurations can get cumbersome to manage.  Enterprise Class PKI Certificates use unique, static identification information, validated by a Certificate Authority making configuration management simplified.  Being allowed to revoke a certificate in the event if a compromise gives administrators control where self-signed certificates or PSKs cannot.  This also allows administrators to revoke the access between two different points and not have to change the PSK across the enterprise on all devices.

Within this same vein is the need to secure remote connections to Virtual Cloud Networks.  Amazon AWS calls them Virtual Private Clouds (VPC) and Azure calls them Azure Virtual Networks.  Both solutions, along with other cloud providers, allow you to have private networks in the cloud that are not accessible via the internet.  These private networks allow you to define private IP addresses, subnets, access control policies and more.  These networks are connected together via IPSec tunnels.  PrimeKey Enterprise PKI can help with this as well.

Typical Site-to-Site VPN Scenario

Whether using OpenVPN, Cisco AnyConnect, Microsoft Direct Access, Juniper's Pulse Secure VPN or another solution, utilizing PrimeKey Enterprise PKI can enhance VPN deployments in many ways.  In most cases, administrators can add security while making the user experience easier.  This reduces helpdesk calls and administration overhead.  Tighter control is also obtained when removing access for a single site or user through certificate revocation.  Certificates, unlike PSKs, are also tamper proof and cannot be altered.  These advantages make it clear that PrimeKey Enterprise PKI is the best solution for securing your VPN connections.

802.1x Authentication and Auto Enrollment with PrimeKey PKI

Securing wireless can be a challenging task.  Using pre-shared keys is no longer acceptable and in many cases a compliance violation.  Rather than have user’s login to a splash page, remember a username and password, or even have administrators manage MAC addresses; 802.1x certificate based authentication is a significant step towards effectively securing IT networks while making security easier for users.

When a user logs onto a wireless network, it is critical to make sure that the user or device is exactly what administrators expect it to be.  There are a few components required to make this work.  The first is what many people refer to as the supplicant.  This is another name for a client since it can sometimes refer to a piece of software that is installed on it to pass credentials to an authenticator.  This can come in many forms; from a Windows client, to a Mac, to an iPhone or Android device as well as printers, scanners, fax machines, etc.  These devices obtain a certificate through an enrollment process.  Generally, with Windows systems this is through Microsoft Auto Enrollment (MSAE).  EJBCA Enterprise and the PrimeKey Appliance fully support this Microsoft process.  With OS X systems, this is done through a Systems Manager such as JAMF Casper or Centrify Identity Service.  Mobile devices might use an Mobile Device Manager (MDM) solution such as AirWatch or MobileIron.  This ensures that the certificate chain is passed down to these clients, so they trust the internal PKI system as an authority and that it is a fully managed client within the organization.

Typical 802.1x Network Implementation

The second part of an 802.1x deployment is an "authenticator".  This is an Access Point (AP) in wireless deployments, or a switch in wired deployments.  The authenticator acts as the first line of defense, or a gate, to a protected network.  A supplicant cannot pass through the gate unless it has been authorized.  The authenticator is usually configured to hand off the authorization to an authentication server who knows who all the verified users are.

The third piece of a good 802.1x deployment is an authentication server such as a RADIUS server like Microsoft NPS or Juniper UAC.  This can be software solutions such as a Network Access Control (NAC) system, such as Cisco ISE or Aruba ClearPass, that can provide enhanced functionality such as posturing.  This server will validate the credentials are valid.  In the case of 802.1x this is a certificate.  The authentication server has the certificate chain installed on it so that it can match the issuing CA of the certificate to the CA that it is authenticating against.  It will then check for any certificate revocations for that certificate.  This is done via a CRL on a server or an OCSP responder (also known as a Validation Authority) and checks for the status of the certificate.  All of this is handled by the EAP protocol that passes this information securely.  If everything checks out the authentication server tells the authenticator to pass the user through the gate.  At this point the supplicant can access all the resources on the protected network.

Ensuring that users have a certificate on their devices generally means that device is a corporate managed device which keeps untrusted devices off sensitive corporate networks.  Certificate provisioning is usually a very tightly controlled process that requires authentication and membership to a controlled management system.

Whether using Meraki, Aruba, Cisco, Ruckus or another Wi-Fi solution, utilizing PrimeKey Enterprise PKI can enhance these deployments in many ways.  C2 Company can help you scope and implement your 802.1x deployment.  The PrimeKey Appliance is a packaged PKI-in-a-box that offers the easiest and most secure way to deploy and Enterprise Grade PKI system.  The PrimeKey Appliance takes the hassles out of an elaborate installation process and makes tasks like HA, backups and integration far easier than other solutions.

By delivering strongly on security, performance and simplified maintenance, PrimeKey Enterprise PKI empowers your security team to focus on aspects more directly beneficial to your business — the core certificate lifecycle, code and documents themselves.  Let us be your experts in 802.1x and certificate provisioning, so you can continue to grow your core business.

Improving Cisco ISE Deployments with PrimeKey PKI

Overview:

To detail the benefits of leveraging the combination of PrimeKey PKI (Public Key Infrastructure) and Cisco ISE (Identity Services Engine) to make network admission control (NAC) more robust.

Problems:

Organizations need an additional factor of authentication, instead of the standard username and password, without adding complexity and hardship to users. Issuing hardware tokens to all employees is a cumbersome and expensive task that requires significant overhead. The most common types of devices that are deployed into an organization are Windows clients and mobile devices. Employees bringing their personal devices, and authenticating them to the corporate WIFI via active directory, is an increasingly significant headache for corporations. As handheld devices become more prevalent, the problem is only going to get worse. Identifying and validating assets before they are allowed onto the network is a must have for administrators. The question is; what is the device that the user brought in, and is it safe? The answer is to securely identify the system or device and determine what access it should have on  the network.

Solution:

Cisco ISE is a next-generation identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline their service operations. The more information that Cisco ISE has, the easier it can make its determination based on the profile set by the organization.   

When used in conjunction with a system commonly referred to as a Certificate Authority (CA), security can be much more granular. PrimeKey PKI is an enterprise grade PKI system for certificate issuance and management. By keeping track of whom to trust, PrimeKey PKI protects your data, allowing you to provide safe digital communication when needed.

Cisco ISE relies on PKI to provide secure communication with both endpoints and administrators, as well as between Cisco ISE nodes in a multi-node deployment. PKI relies on X.509 digital certificates to transfer public keys for encryption and decryption of messages, and to verify the authenticity of other certificates representing users and devices.

Administrators can use certificates for machine-level authentication and embed data into the certificate to identify the asset type through an 802.1x authentication session. By combining PrimeKey PKI with Cisco ISE, administrators can also take this to a deeper level by profiling the device on the network with greater detail to determine items such as system patch level or virus definition version. This also delivers two-factor authentication along with device profiling for a comprehensive solution.

PrimeKey PKI and Cisco ISE together also provide an easy and elegant provisioning system for long-term employees, mid-term contractors, or short-term guest access. By using short-lived certificates for guests, or guest access through request portals, temporary access is easily granted or revoked through secure, employee self-service. Organizations, that have their own CA internally, can grant certificates on demand; generating as many as needed without additional cost. This provides much greater control over outbreaks and breaches, as well as providing an additional layer of security.

There are many ways to determine how and if a host can access a particular network. For example, Cisco ISE can communicate with the network switch the host is connected to and quarantine a device for remediation if it does not meet the proper policy. It can be a simple matter of forcing a user to accept a Network Usage Policy for compliance reasons before they are allowed access. Or, it can redirect it to a VLAN with only access to an update server for patching.

By leveraging PrimeKey PKI and Cisco ISE together, customers are getting the best of breed when it comes to PKI and NAC. Both of these solutions offer scalable, robust, security enhancing capabilities that can grow with your business. Additionally, adding an MDM solution would give organizations total control over devices, what is on them, and who is using them.

U

PrimeKey

Business

Cases

PRIMEKEY WORLDWIDE PKI

Zenefits

After evaluating multiple PKI solutions, Zenefits chose PrimeKey's PKI Appliance and utilized the services of PrimeKey's U.S. tier one partner, C2 Company, to deploy the system within a one-week period.

Adobe-PDF-Document-icon-thumbnail

QuoVadis

Utilizing PrimeKey's EJBCA Enterprise Edition, QuoVadis was able to provide a seamless transition for Trust/Link users while maintaining the highest security standards.

Adobe-PDF-Document-icon-thumbnail

SGS

PrimeKey's SignServer Enterprise provided SGS with a PDF signing solution that was robust, high speed and could integrate into their workflow.

Adobe-PDF-Document-icon-thumbnail

ITCARD

PrimeKey's PKI Appliance provides ITCARD with a complete feature set that operates a full service PKI with high-availability.

Adobe-PDF-Document-icon-thumbnail