Client or user certificates can be like bad wine: A headache!

Client or user certificates can be like bad wine: A headache!
04 Nov ‘24

Implementing client or user certificates within a Public Key Infrastructure (PKI) system provides robust security benefits but comes with significant challenges, especially at scale. Many PKI specialists encounter hurdles in deployment, management, and user engagement. In this article, we’ll explore the challenges associated with client certificate implementation, with a focus on issues related to issuance and distribution, expiration and renewal, revocation, scalability and interoperability, security, complexity, costs, and user experience. Real-world examples will illustrate each challenge to provide practical insights into PKI management.

Issuance and Distribution

Issuing and distributing client certificates is essential but often proves challenging due to the need for secure authentication, integration with identity management systems, and efficient distribution methods. Issuance typically involves generating a key pair, creating a certificate signing request (CSR), and signing it through a Certificate Authority (CA). For instance, consider a financial institution that issues certificates to employees for accessing secure applications. Before issuing, the institution needs a way to verify each employee’s identity—often done through integration with an Identity and Access Management (IAM) system like Active Directory.

Secure distribution can be particularly challenging. Some organizations use hardware tokens or smart cards for added security, but these require physical distribution, introducing logistical and time-related costs. On the other hand, software-based distribution methods, while faster, demand secure key storage on devices. For example, a healthcare provider distributing client certificates to clinicians might use a software-based tool to install certificates on each clinician’s device, but ensuring the private key is securely stored in the device’s Trusted Platform Module (TPM) can be a struggle on older or non-compliant devices.

A streamlined distribution process is critical but difficult to achieve. Organizations must also create processes for recovery in case of lost or compromised certificates, further adding to the distribution complexity.

Expiration and Renewal

Managing certificate expiration and renewal is vital to prevent disruptions in service and security risks. Unlike passwords, certificates often operate in the background, making it easy for users to forget about them until they expire. An unexpected expiration can disrupt workflows, as seen in a large retail organization where certificates expired simultaneously for multiple point-of-sale (POS) systems, leading to a temporary but costly outage.

Automation helps mitigate these issues, but it’s complex to implement, especially if different systems don’t support automated renewal protocols. For instance, using the Automated Certificate Management Environment (ACME) protocol has streamlined renewal for server certificates but remains challenging for user certificates requiring identity verification. A government agency with employees using certificates on mobile devices might find it challenging to automate renewals on older or cross-platform devices, as mobile operating systems vary in their support for PKI standards.

Organizations face the added burden of reminding users of impending expiration dates, often requiring custom notifications. Financial institutions, for example, might send reminders through secure email systems, integrating notifications into their work management platforms to reduce the risk of missed renewals.

Revocation

Revocation is critical for mitigating risks if a certificate is compromised or no longer needed, but managing it at scale presents multiple challenges. Revocation involves publishing a Certificate Revocation List (CRL) or using the Online Certificate Status Protocol (OCSP). The challenge grows with CRL size; if too many certificates are revoked, CRLs become large, consuming network resources and slowing down the process. A telecommunications company implementing client certificates across field devices, for example, might experience delays in distributing updated CRLs, resulting in field technicians unable to authenticate their devices in real-time.

OCSP provides a more scalable solution by allowing clients to check revocation status in real time, yet it requires additional infrastructure to maintain OCSP responders. A healthcare provider with hundreds of mobile devices would face challenges ensuring that each device checks the revocation status, especially if they’re intermittently offline. To mitigate the impact, some organizations implement OCSP stapling, allowing servers to cache and periodically update OCSP responses, yet this too adds complexity to server configurations and troubleshooting.

Ensuring end-users understand the revocation process is equally challenging. For example, in a manufacturing firm, users might resist revocation procedures if they feel their certificate should still be valid, especially if the revocation disrupts access to essential applications.

Scalability and Interoperability

Scalability becomes a core issue as organizations scale their PKI implementations across departments, geographic locations, or customer bases. Many PKI systems aren’t optimized for large-scale issuance and distribution. Consider an international logistics company with thousands of devices distributed globally—scaling their CA’s capacity to handle millions of certificates means addressing network latency and load balancing.

Interoperability adds another layer of difficulty. Organizations often have diverse systems—various operating systems, applications, and network devices that must all interact seamlessly within the PKI. For example, a multinational firm may deploy client certificates across a mix of mobile, desktop, and legacy systems, each supporting different cryptographic algorithms. When these older systems interact with newer PKI deployments, mismatches in protocol support or cryptographic strength can lead to compatibility issues, as some devices might not support the latest protocols or algorithms.

PKI specialists need deep knowledge of standards such as X.509 and PKCS for cryptographic token interfaces. Even then, ensuring interoperability in a mixed environment can be resource-intensive. Testing is required to identify and resolve compatibility issues, often requiring custom patches or legacy system upgrades.

Security Concerns

Security concerns underpin every aspect of PKI, but they’re particularly pertinent in client certificate implementations, where compromising a private key can undermine the entire system’s integrity. Securing private keys on client devices remains challenging. For example, a financial services firm using client certificates for authentication on employee laptops may require hardware-based key storage solutions like TPMs or Hardware Security Modules (HSMs). These solutions secure keys effectively but add significant costs and logistical requirements, as TPMs may not be available on all devices or may not support the same security configurations.

Phishing and social engineering attacks also pose risks, as attackers might try to trick users into revealing certificate information. A large corporation, for example, might experience phishing campaigns that target employees to access their certificates, especially if certificates are used for privileged applications. Training employees on identifying phishing attempts is essential but difficult, as not all users grasp PKI’s technical intricacies, making them vulnerable to social engineering.

Establishing secure backup and recovery processes is essential for handling lost or damaged devices, but this adds yet another layer of security complexity. The process is not just a technical challenge; it also demands policy and protocol development to ensure lost certificates are replaced without exposing the system to unauthorized access.

Complexity

PKI’s inherent complexity is another obstacle, as it demands expertise in cryptography, identity management, and network infrastructure. For example, consider a hospital system attempting to integrate client certificates into its network for secure communication. Coordinating issuance and usage policies with varying departments, from administration to on-the-ground clinical operations, involves extensive collaboration and policy enforcement. PKI policies must account for certificate lifetimes, revocation criteria, usage restrictions, and renewal procedures, each requiring precise configuration across a variety of devices and systems.

Even with technical expertise, the cross-departmental coordination required to establish PKI policies and enforce them consistently can be demanding. Additionally, strict configurations to enforce security policies may degrade user experience. Excessive restrictions or overly complex installation procedures can lead to end-user frustration, as seen in educational institutions where students struggle to access network resources because of complex certificate requirements on mobile devices.

Costs

PKI implementation is resource-intensive, both in terms of infrastructure and human capital. Establishing a PKI with client certificates requires a dedicated Certificate Authority, potentially redundant CRL distribution points, OCSP responders, and potentially hardware security modules. For example, a government agency implementing PKI for employee authentication may invest heavily in CA infrastructure, as well as HSMs to secure high-value certificates, not to mention the associated costs of maintaining network redundancy.

Operational costs add to the financial burden. PKI specialists are highly skilled, and their expertise comes at a premium. Further, training and support for end-users contribute to ongoing expenses. A corporation that introduces client certificates may need a full-time support team to handle certificate-related issues, escalating the total cost of ownership. With every added layer of complexity—such as custom development, interoperability testing, or security enhancements—the implementation costs increase.

In addition to the infrastructure and labor costs, there are indirect expenses tied to user downtime if PKI is not managed efficiently. For example, if a certificate expiration affects the CEO’s access to a critical application, the resulting productivity loss translates to a financial hit beyond the direct PKI expenses.

User Experience

The user experience (UX) is often an overlooked aspect of PKI implementation. However, it directly impacts adoption and the overall success of the PKI system. The certificate lifecycle involves issuance, installation, renewal, and sometimes revocation—all touchpoints that users must navigate. If the experience is cumbersome, users may resist or fail to complete tasks, leading to productivity losses and frustrated support teams.

Consider a law firm implementing client certificates for its employees to access secure client documents. If the process requires manual certificate installation, attorneys with limited technical skills may face challenges, creating frustration and, potentially, resistance to the system. In this case, automated installation for managed devices, combined with clear, accessible support, can reduce user disruption and improve compliance. Notifications about upcoming expirations must be clear and provide actionable steps; otherwise, the firm risks attorneys being unable to access essential files when certificates expire.

Another critical UX consideration is managing the experience for non-technical users. For instance, a manufacturing company that issues client certificates to frontline workers for device authentication must balance the need for security with an intuitive interface. Training employees on how to use certificates without burdening them with technical details is essential. User training materials tailored to various skill levels can aid in adoption but require additional development time and resources.

 A few hurdles KeyTalk has had to overcome with clients

Mobile Device Management (MDM) solutions often prefer older protocols such as NDES/SCEP for requesting client certificates. However, modern solutions like Microsoft Intune do not support the “standard” SCEP protocol. Instead, Microsoft has developed a variant in which the SCEP challenge is verified by Intune rather than by the SCEP server. As a result, KeyTalk CKMS had to be updated to support both variants of the SCEP protocol. This update allows MDM solutions using the original SCEP implementation, such as JAMF, to be supported while also accommodating Intune.

Another challenge we encountered was a customer’s requirement for machine client certificates on Linux systems, where the TPM was used to secure the private key of the certificate. Since no existing solution was available, KeyTalk addressed this need by extending our Linux agents to support TPM 2.0 and enabling authentication using Kerberos tokens. This approach triggers the CSR signing process to obtain the machine client certificate.

A SCEP proxy is a method where an endpoint requests a certificate using the SCEP protocol through an intermediate server that acts as the SCEP server but merely relays the SCEP request to the actual SCEP server. To enable proxy functionality, KeyTalk ensured our solution supported the translation of CA trust, preventing any disruption of the SCEP protocol.

Conclusion

Implementing client certificates in PKI environments brings strong security benefits but also numerous technical and operational challenges. PKI specialists must address efficient certificate issuance, distribution, expiration, and revocation while managing scalability and interoperability. Security concerns, such as protecting private keys and countering phishing risks, add complexity, and the required expertise can drive up costs, making PKI a considerable investment.

To optimize the benefits, organizations should prioritize automation, user-friendly distribution, and interoperability. Automated renewal and clear user guidance can help reduce friction, making PKI both secure and practical. Staying updated on new protocols and aligning security goals with operational needs are crucial for a successful PKI deployment.

KeyTalk CKMS extends these capabilities further by offering additional possibilities:

  1. Flexible Integration with MDM Solutions: KeyTalk CKMS supports seamless integration with popular MDM platforms like Microsoft Intune and JAMF, ensuring secure and automated certificate deployment across diverse device ecosystems.
  2. Advanced Key Protection: By incorporating TPM 2.0 support for Linux systems and secure private key storage, KeyTalk ensures that sensitive keys are well-protected, even in complex environments.
  3. SCEP Proxy Functionality: KeyTalk CKMS can act as a SCEP proxy, simplifying certificate requests from endpoints and ensuring trust translation without disrupting the SCEP protocol. This enhances scalability and flexibility in large deployments.
  4. Customizable Certificate Templates: Organizations can define and manage multiple certificate templates tailored to their unique security needs, from user authentication to S/MIME email encryption and machine identity.
  5. Granular Role-Based Access Control (RBAC): With RBAC, administrators can delegate specific PKI management tasks securely, maintaining oversight while allowing operational efficiency.
  6. Comprehensive Reporting and Audit Logs: KeyTalk CKMS provides detailed logs and reports for compliance and security audits, giving organizations full visibility into certificate activities.
  7. Phishing Protection Enhancements: Leveraging PKI for email encryption and digital signatures, KeyTalk helps mitigate phishing risks by ensuring email authenticity and integrity.

By leveraging these features, organizations can achieve a more secure, efficient, and future-proof PKI environment that aligns with their operational and security goals.

Curious about what client or user authentication certificates can mean for your organization? Contact us by filling in the contact form below for more information and discover how we can optimize your certificate management.

The KeyTalk Team

Contact us

if you are interested in what we can do for your organisation with PKI / CLM management after reading our blog, please fill in the contact form below and we will contact you right away.