- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Who should be in charge of PKI / CA server?
In principal, who should be in charge of PKI infrastructure / CA server? The customer, the MSSP, or some third party providing PKI as a service?
The customer (1000 employees) has an IT department, and has until now managed their own CA server for issuing client certificates used for client VPN and WiFi authentication. As part of downscaling their IT department, they're planning to get rid of their CA server. They want WiFi with EAP-TLS authentication delivered by our company, but they don't want to handle the PKI infrastructure themselves.
Should we as an MSSP provide PKI as a service to the customer, or should we tell the customer to get PKI as a service from a third party? We are currently testing FortiAuthenticator, but as far as I can tell, FAC cannot be used as a CA server in a multi-tenant environment. There are PKIaaS providers online that could be used, but we currently don't have the resources to handle PKI for customers, even if utilizing PKIaaS on the customer's behalf.
Does anyone have any experience and recommendations related to this?
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It depends on your resources and the customer's needs. If you can handle it, offering PKI as a service might be a good move to ensure smooth operations for their WiFi and VPN. But if you're stretched thin, recommending a third-party PKIaaS provider could be the better option.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forti Authenticator doesn't have a separate multi tenancy feature but in case of Certificate management, it supports multiple CAs based on user licenses and uses SCEP for autoenrollment.
If you have found a solution, please like and accept it to make it easily accessible for others.
![](/skins/images/EC12350B26E3A30E8BDB0075C9F4DA72/responsive_peak/images/icon_anonymous_message.png)