Relevant Items

Certificate Management To Client or Not to Client | BLOG

I thought about titling this blog, “Are Clients Dead?”, but that’s an absolutist question meant to provoke, and I’m getting exhausted with security absolutism these days. Never mind clients: nuance is certainly not dead. With that in mind, I’d like to take you through some of the questions you might ask yourself as you determine whether to deploy clients to help automate certificate management.

Recall that a client is a piece of software that you deploy on various endpoints in your infrastructure so that you can help manage and control how the endpoints interact with a particular process or technology. In the case of PKI, and certificate management in particular, you might deploy clients to automate certificate issuance and renewal. The client can submit the certificate request and install the returned certificate on the endpoint, with little or no interaction from the end user. This helps ensure ease of use and uniformity in the process.

Clients used to be the best / only way to enable smooth interaction with the endpoint, but they had downsides too. First of all, you needed a client for every operating system in the infrastructure. If you had a fairly homogeneous set of endpoints (all running Windows, for example), your vendor probably had a client that could run on all of them. But what if, as is often the case, you’re running a mixed environment, with Windows, MacOS, and a few flavors of Linux? Your vendor might provide out of the box clients for some OSes, offer toolkits to make your own clients for other OSes (or offer to build you a specialized client for a price) and perhaps not support some OSes at all – requiring you to manually manage certificates for those endpoints. The other challenge was managing the clients themselves. While certificate management clients helped streamline and automate the certificate management process, clients themselves need to be managed too. Managing versions and deploying updates are tasks that every IT administrator is familiar with, and while that process has gotten easier over the years, it’s still a time consuming and tedious process especially in large diverse enterprise environments.

Customer challenges with client management have led the PKI industry to move towards developing client-less solutions with industry-standard protocols. SCEP, EST and CMPv2 are all protocols that been developed to help automate certificate enrollment and lifecycle management. With SCEP for example, an organization will typically host a SCEP server on their network (Entrust Datacard deploys their own SCEP server on the customer’s network), and endpoints that “speak SCEP” can send certificate requests to that server. In addition to support for the protocols above, Entrust Datacard enables client-less automated enrollment through the Windows Native Enrollment Server (WNES), Entrust Web Service APIs and email notification of certificate expiry to certificate holders through the Certificate Expiry Service. All of these client-less options provide our customers with the convenience of automated certificate enrollment, without the overhead of managing thousands (or more) of clients.

So, have client-less certificate management options completely overtaken clients? Mostly, but not entirely. Client-less deployments are common for mobile device use cases, where MDMs often leverage a protocol like SCEP or EST. Many “classic” desktop and server use cases also have migrated to client-less deployments. However, there are still devices, operating systems and applications that do not use any of the client-less protocols; in those cases, a client based approach may be the only option if you want to automate enrollment and renewal.

It’s likely that you are using PKI for many different use cases in your environment. For most of them, you will be able to use a client-less approach, but there may be a few outliers. As you are planning out your PKI deployment, it’s safe for you to assume that most of your endpoints can rely on client-less architectures, but work closely with your PKI architect to identify those few that would still benefit from clients.

For a deeper discussion of certificate management and automation, be sure to check out our new whitepaper: Certificate Management: Policy, Automation and Entrust Datacard Value.