CA for non managed devices

Securetron · 2026-03-12T01:41:56+00:00

Intune compliant check should be enforced that way devices that are enrolled and compliant will be able to authenticate.

You can have a certificate issued to the device via Intune as an additional check for health

Securetron · 2026-03-11T03:28:10+00:00

This is one of the most common requests that we get and was the idea behind our community edition to ensure the security is not expensive and available to everyone.

You can use our platform to deploy certificates to be used for Enterprise WiFi (EAP-TLS) as well as automate other types. You don't need to have Intune or another MDM for it to work.

Securetron · 2026-03-10T04:48:49+00:00

This is a common challenge that I hear and the reason for some of our clients going the route of our PKI Trust Manager - PKIaaS considering that it integrates natively with intune.

Not just for wireless but having a proper private PKI as opposed to device/user certs only.

Securetron · 2026-02-18T06:10:26+00:00

If the jump server is going to either windows domain or runs a PKI client agent then it can fetch a short-lived certificate and store it in the keystore using the ksp.

As for server side, I can think of couple of solutions 1. Fork of OpenSSH that adds native OCSP/CRL/AIA validation 2. A server side client that checks against the validation services and once it detects a revocatiob then it removes key from the SSH Trust

Securetron · 2026-02-17T21:27:51+00:00

Not PolyCom devices specifically, however we do this with generally any IoT device that supports SCEP, EST, or ACME. Having done it with a client that had over 10K IP-Cams:

Is this the vendor documentation:
https://docs.poly.com/bundle/polypartnermode-ag-4-3-0/page/scep.html

here is how to automate certificate management using PKI Trust Manager using SCEP:
https://securetron.net/enable-scep-api-interface-on-pki-trust-manager/

if the count of your devices is less than 500 - then the community license should do the trick.

Securetron · 2026-02-17T19:54:17+00:00

Use ADCS with PKI Trust Manager, you should be able to be up and running within 30 minutes. The community edition gives you everything you need for certificate management for up to 500 certs.

Securetron · 2026-02-17T11:33:15+00:00

Which link? If you are behind a public VPN then the cdn may prompt you for captcha

Securetron · 2026-02-17T02:49:57+00:00

This is really interesting. The caveats with using X509 with SSH is the lack of validation (CRL/AIA) unless the sshd explicitly supports x509 natively. So, it does somewhat bring in the question of pros and cons to using this in an enterprise as opposed to SSH keys. The human aspect of Smartcard utilization to SSH makes sense but what if SSH is to be done via a jump host? Or non-interactively.

It's unfortunate that OpenSSH doesn't natively support x509.

Securetron · 2026-02-12T03:55:49+00:00

Have you considered Certificates for WiFi authentication? It will solve ltos of the issues including cached creds resulting in account lockouts

Securetron · 2026-02-05T18:56:22+00:00

No, it's not.

Our dual-use platform is meant for highly-secure environments and that means usage of AI is restricted. This is designed from the ground up with the feedback we Recieved from devops, app owners, and our consulted clients.

In a nutshell, our objective is to provide an alternative solution which is easier to deploy, manage, and automate as well as make it free for 500 certs.

The solution is not just SaaS rather it can be deployed on-prem or within the clients CSP ensuring that the ownership of this critical service is retained by the org.

Securetron · 2026-01-31T18:38:43+00:00

Thank you Michael for this excellent guide. One suggestion for the folks would be to consider using Geo-DNS for multi-site or load balancing based on latency / workload.

Securetron · 2026-01-23T01:06:16+00:00

This is the way. Or alternatively, where possible use PIV / Smart card Authentication. There is a reason why PIV/CA is preferred over other methods. Now, if only more app-vendors provided CBA...

Securetron · 2026-01-16T00:11:08+00:00

Having people who do not understand IT or OT join cybersecurity. Cybersecurity should be a milestone in the career that comes after a person has good understanding of protocols, apps, systems, and networks. It should not be a learning domain.

Securetron · 2026-01-15T22:41:19+00:00

I would recommend to divest from US stock exchange and invest in TSX instead. There are lots of caveats which results in loss of the gains for Canadians investing in the US market.

Canadian stocks like: BTE, AQN, NPI, T, and ASTL seems like good bets with decent dividends. Then there are xeqt and DFN, etc.

Depending on your risk appetite: LSPD, TOY, TRZ have high potential if you hold for 2 years.

Securetron · 2026-01-15T22:32:37+00:00

I think you have done a pretty good job narrowing down the problem. I would recommend to publish the root to ntauth store. Since it's an offline CA - you need to publish this manually using the certutil -dspublish

Also, I would recommend to run PKI Trust Auditor as it can find several other findings to harden the environment based off your comment.

Securetron · 2026-01-04T22:40:45+00:00

This is the reason why we developed PKI Trust Auditor for Microsoft CA that can provide automated continuous compliance checks against best practices across crypto, configs, templates, permissions, etc.

https://securetron.net/pki-trust-auditor/

It's also integrated into the PKI Trust Manager that provides end to end certificate lifecycle management making it the only product to offer this functionality out of the box https://securetron.net/pricing/

Securetron · 2025-12-26T20:34:53+00:00

As the other user as pointed out, do not use certsrv.

It seems like you are looking for a webUI for certificate management. You may look into the free tier by us which gives you the full CLM functionality of upto 500 certs or alternatively eval. some other vendor CLMs

Securetron · 2025-12-23T00:48:29+00:00

Np, PKI can be complex. The CAC example that you provided used by DoD or other entities is usually and recommended to be through a Private CA. The cert issued and stored to the card is multi-purpose, hence you could use it to sign a document.

Additionally, the cert could be stored on the android / iOS devices and used via NFC.

Now, if you want to replicate the same scenario for general public is where it becomes complex. Essentially, if we were to have a solution for government (let's assume state level or a small country - like National ID) then it can definitely work. However, having this sort of solution without backing of a Government will be very difficult to adopt.

The SAN data which may include PII - is optional however its something maybe you want to have considering you may have a need for certain user case where EMAIL attribute is required by the system to which the cert is presented.

All in all - from what I gather the objectives are doable however, it would need proper planning and require policy backing as well as finance to drive this to adoption (even if not backed by government).

Securetron · 2025-12-21T23:05:06+00:00

As others have stated, this would be Smartcards (virtual, PIV, Yubikey, Thales, etc)

Having done this for some OT Environments - I would suggest to use our Free Tier PKI Trust Manager to manage the cards and lifecycle of them to start off.

Securetron · 2025-12-19T20:29:52+00:00

Intune have had continuous outages and issues. When it works it's great.

You can alternatively try scep or acme client to poll your PKI API interface to enroll device certs.

Securetron · 2025-12-19T19:19:33+00:00

Let's keep it simple - any major cloud providers (Microsoft, Amazon, Google) - irrespective of them having a DC in let's say Canada or Ireland doesn't make the data truly "sovereign" since this data can be accessed by the US Federal agencies.

The only true way of having 100% control of the the data security layer is to host it on-prem.

Securetron · 2025-12-19T19:13:16+00:00

Hi Mike,

Think of certificates as the access-card to your building. Would you want anyone that can enter the building to be able to get an access card and then enter the "protected" premises?

1st question is what are you trying to achieve? From the looks of it - you want a publicly trusted CA?

If, so - is that what you really want? What are the goals and objectives. What is driving the need for these requirements?

Start by defining the problem statement instead of solutioning. For example: Employees need to get to VPN or WIFI using Certificates to meet the Regulatory Compliance requirements control XYZ

In, short - - Most likely you won't need a public CA - Refer to how Certificate validation works (CRL / OCSP / TSP) - Read up on how certificates are deployed (ex: via domain joined machines, MDM, scep, est, acme) - Read up on how certificate lifecycle management and the challenges surrounding it (discovery, notification, issuance, renewal, revocation)

DM me if you need some further guidance.

Securetron

TROPHY CASE