IronWiFi PKI Infrastructure
IronWiFi provides a multi-tiered, HSM-backed Certificate Authority (CA) infrastructure for secure certificate-based WiFi authentication. This document describes the PKI architecture and provides certificate fingerprints for verification.
Architecture Overview
IronWiFi offers a modular PKI architecture supporting both:
- Hybrid PKI - Customer's signing CA is signed by IronWiFi's Root CA
- Private PKI - Customers generate their own keypair for signing, which can be:
- Securely transferred to IronWiFi for import into HSM-based KMS
- Accessed from the customer's own CloudHSM solution
Security Features
HSM-Based Key Management
All Intermediate Signing CA private keys are stored in geo-redundant, private cloud-based Key Management Servers (KMS) using Hardware Security Modules (HSMs):
- Key generation - All private keys are generated directly on HSMs
- Key protection - Private keys can never be exported from the HSM
- Geographic redundancy - Keys are replicated across multiple regions
- Access control - Strict authentication for all key operations
API Security
Communication between the SCEP issuing server and KMS is protected by:
- HMAC authentication - All API calls are cryptographically authenticated
- Client certificate verification - Mutual TLS for server authentication
- Key rotation - Client certificates are rotated after each API call
Certificate Authority Hierarchy
IronWiFi uses a three-tier PKI hierarchy:
Root Certificate Authority
The Root CA is the trust anchor for the entire PKI:
- Offline and air-gapped for maximum security
- HSM-protected private key
- Used only to sign Intermediate CA certificates
Intermediate Certificate Authorities
| CA Name | Purpose |
|---|---|
| SCEP Signing Intermediate CA | Signs certificates requested via SCEP protocol |
| Client Signing Intermediate CA | Signs end-user and device certificates |
| RadSec Signing Intermediate CA | Signs certificates for RadSec (RADIUS over TLS) |
| Signing Intermediate CA | General-purpose certificate signing |
Certificate Fingerprints
Use these SHA256 fingerprints to verify the authenticity of IronWiFi certificates.
Root CA
| Property | Value |
|---|---|
| Name | IronWiFi Root CA |
| SHA256 Fingerprint |
SCEP Signing Intermediate CA
| Property | Value |
|---|---|
| Name | IRONWIFI SCEP Signing Intermediate Certificate Authority |
| SHA256 Fingerprint |
Client Signing Intermediate CA
| Property | Value |
|---|---|
| Name | IRONWIFI Client Signing Intermediate Certificate Authority |
| SHA256 Fingerprint |
RadSec Signing Intermediate CA
| Property | Value |
|---|---|
| Name | IRONWIFI RadSec Signing Intermediate Certificate Authority |
| SHA256 Fingerprint |
Signing Intermediate CA
| Property | Value |
|---|---|
| Name | IRONWIFI Signing Intermediate Certificate Authority |
| SHA256 Fingerprint |
Verifying Certificate Fingerprints
Windows
macOS / Linux
Browser
- Click the padlock icon in the address bar
- View certificate details
- Find SHA-256 fingerprint in certificate info
SCEP Integration
The Simple Certificate Enrollment Protocol (SCEP) allows devices to automatically enroll for certificates:
- Device sends Certificate Signing Request (CSR) to SCEP URL
- SCEP server validates request using shared secret
- Request is forwarded to KMS for signing
- Signed certificate is returned to device
SCEP URL Format
For Windows/Intune profiles, remove
/scep
Required Parameters
| Parameter | Description | Example |
|---|---|---|
| Your data residency region | |
| Your IronWiFi account identifier | Found in console URL |
Downloading CA Certificates
- Log in to the IronWiFi Console
- Navigate to Account > Certificates
- Download the required certificates:
- IronWiFi CA Certificate - For SCEP profiles
- Trusted RADIUS Server Certificate - For WiFi profiles
Related Documentation
- SCEP & PKI Integration - Step-by-step SCEP setup guide
- Intune Integration - Microsoft Intune configuration
- Jamf Integration - Jamf Pro configuration
Was this page helpful?