Types of certificates

In this section, we explain the function of the root CA certificate.

Root CA (Certificate Authority) certificates are at the top of the hierarchical structure of digital certificates used in the public key infrastructure (PKI). A Root CA is a highly trusted entity that issues digital certificates to intermediate CAs (Certificate Authorities) or directly to end entities such as the Portnox Cloud. These certificates are then used to verify the authenticity of the entities they certify.

Root CA certificates are pre-installed and trusted by default in web browsers, operating systems, and other applications, and any certificate issued by them is automatically trusted by those systems. However, older systems may not have all the root CA certificates, such as the DigiCert Trusted Root G4 used by Portnox Cloud. That is why Cloud provides you with this CA certificate to download and install on such systems.

If your system is old and it does not have the DigiCert Trusted Root G4 CA certificate installed, it will not be able to verify the identity of the cloud RADIUS server, which will generate warnings, and in some systems it can even prevent you from using Portnox Cloud.

You can download the DigiCert Trusted Root G4 certificate here: Settings > Services > CLEAR RADIUS SERVICE > Europe and Asia or United States and North America > Download root certificate, or directly from our documentation server.

In this section, we explain the function of the cloud RADIUS certificate.

The cloud RADIUS certificate is signed using the root CA certificate. Portnox has purchased this certificate from DigiCert to guarantee the authenticity of its RADIUS server, which use the domain name clear-rad.portnox.com.

If you can update your 802.1X configuration profiles to verify only the name that the certificate was issued to, which is clear-rad.portnox.com, then you may not need to download the RADIUS certificate, but it depends on the operating system and version.

If you need to add the RADIUS server certificate to your 802.1X configuration profiles, you can download it directly from our documentation server.

In this section, we explain the function of the SCEP server’s intermediate certificate.

You can use the Portnox Cloud SCEP (Simple Certificate Enrollment Protocol) server to request certificates for your devices. The SCEP protocol works through HTTP/HTTPS requests and is mainly used by UEM (Unified Endpoint Management) and MDM (Mobile Device Management) solutions.

Most device operating systems, such as Windows, macOS, and iOS, by default use SCEP via HTTP requests. However, some device operating systems such as Android require SCEP via HTTPS requests. To make such requests, the devices must have the SCEP server’s intermediate certificate to validate the SCEP server’s identity.

The Portnox Cloud SCEP server’s intermediate certificate is the Thawte TLS RSA CA G1 certificate. In many cases, the operating system of the device already has this standard certificate installed, and you don’t need to upload it to the device. However, it is safer to distribute the certificate using your UEM/MDM solution to make sure that every device can connect using SCEP via HTTPS.

If you need to use the SCEP server’s intermediate certificate to your UEM/MDM software configuration profiles, you can download it directly from our documentation server. Alternatively, you can download it from the DigiCert website.

In this section, we explain the function of the tenant CA certificate.

The tenant CA certificate is a root certificate, which means that it has no chain of signatures. It is completely independent of the root CA certificate. The tenant CA certificate is a self-signed certificate for the tenant-specific CA that is used by Portnox Cloud to authenticate your users and devices, and you should not use it for any other purpose.

If your organization has its own certificate authority and you want to use this CA to generate user and device certificates, you can replace the default tenant CA certificate generated by Portnox Cloud with your own CA certificate. Then, you will need to use your own CA to generate device/user certificates, and Cloud will use the uploaded tenant CA certificate to confirm if they are genuine and use them to verify users/devices.

You can download the tenant CA certificate or upload your own CA certificate here: Settings > Services > CLEAR GENERAL SETTINGS > TRUSTED ROOT CERTIFICATES.

In this section, we explain the function of the user and device certificates.

The user/device certificates are signed by the tenant CA, so they have the tenant CA certificate as the root of their signature chain. This can be either the default tenant CA provided by Portnox Cloud or your own CA.

• If you use the default tenant CA provided by Portnox Cloud, you can have Cloud generate all user and device certificates for you. This is possible because then Cloud has access to the certificate’s private key, which is needed to sign other certificates. You can, for example, ask your users to use the self-service onboarding portal to generate and download these certificates for their devices.

• If you use your own CA that you uploaded to Portnox Cloud, then Cloud cannot generate user/device certificates because it does not have the private key. Only you have the private key because it is your certificate authority. You have to generate all user/device certificates yourself and distribute them to your users’ devices, for example, using unified endpoint management (UEM) solutions such as Intune.

In this section, we explain the common certificate formats used in Portnox Cloud and during onboarding.

All of the certificates mentioned above can be saved in various formats. In some cases, such as with endpoint management systems, you might need to convert your certificate to a different format. The three most common formats used in Portnox Cloud and onboarded devices are:

• Base-64 encoded X.509 / Privacy-Enhanced Mail (PEM): This is the most common format for X.509 certificates, which is a Base-64 encoded text file. To check if your certificate is in this format, you can simply open it in a text editor. If you see the BEGIN CERTIFICATE header, it means the certificate is in the PEM format. This format is sometimes called Privacy-Enhanced Mail, because it was originally developed to secure email communications.

  Note that despite the name of the format, PEM certificates are very often stored with the .crt or .cer extension, which are also used by the DER format described below, instead of the .pem extension. Some systems will even reject PEM certificates with the .pem extension. Therefore, you should not use the extension to determine the format of the file.

• X.509 DER encoded binary: This is the binary format of X.509 certificates that is also commonly used. The certificate is stored in the DER (Distinguished Encoding Rules) format, which is part of the X.690 standard.

  Note that despite the name of the format, DER certificates are very often stored with the .cer or .crt extension, which is also used by the PEM format described below, instead of the .der extension. Some systems will even reject DER certificates with the .der extension. Therefore, you should not use the extension to determine the format of the file.

  The rootCertificate.cer file available in Portnox Cloud for the root CA certificate is in the X.509 DER encoded binary format.

• PKCS #12: This is an archive file format for storing many cryptography objects in a single file. It is often used to combine the X.509 certificate with its corresponding private key, or to bundle all the members of the chain of trust. Many systems do not accept this format and you may need to convert the certificate to one of the two previously mentioned formats. Systems that accept the PKCS #12 format often do not accept private keys with empty passwords.

  The most common extension for PKCS #12 files is .pfx but the extension .p12 is also used.

  The file available in Portnox Cloud for the tenant CA certificate is in the PKCS #12 format bundled with the corresponding private key, which has an empty password.