Fundamentos de PKI para administradores de WiFi: certificados, CA y cadenas de confianza

Esta guía de referencia técnica explica los conceptos fundamentales de la Infraestructura de Clave Pública (PKI) para administradores de WiFi empresarial, abarcando autoridades de certificación, cadenas de confianza y certificados X.509. Detalla cómo la PKI sustenta la autenticación mutua EAP-TLS y proporciona orientación de despliegue práctica para equipos de TI en entornos de hostelería, retail y sector público. Comprender la PKI es un requisito obligatorio para desplegar la autenticación WiFi de personal basada en certificados con Purple.

📖 8 min de lectura📝 1,896 palabras🔧 2 ejemplos❓ 4 preguntas📚 10 términos clave

🎧 Escuchar esta guía

Ver transcripción

[Introduction & Context — 1 minute]

Welcome to the Purple technical briefing. I'm your host, and today we're unpacking a critical foundational topic for any enterprise network architect: PKI Fundamentals for WiFi Administrators. We'll be looking specifically at Certificates, Certificate Authorities, and Trust Chains.

If you're an IT manager, CTO, or venue operations director at a hotel, retail chain, or large public venue, you know that securing your network is no longer just about a complex pre-shared key. To truly secure staff and corporate devices, you need certificate-based authentication — specifically EAP-TLS. But to deploy EAP-TLS, or even WPA3-Enterprise, you must first understand the underlying Public Key Infrastructure, or PKI.

Today, we're cutting through the academic theory. We're going to look at exactly how PKI works in the real world of WiFi deployment, why you need it, and how it underpins the secure access solutions we build here at Purple.

[Technical Deep-Dive — 5 minutes]

Let's dive into the architecture. At its core, PKI is a framework that uses cryptography to verify the identity of devices and servers on your network. Think of it as a digital passport system.

When a device tries to connect to your corporate WiFi, how does the network know it's a legitimate corporate laptop and not a rogue device? And conversely, how does the laptop know it's connecting to your actual RADIUS server and not an attacker's honeypot? This is where X.509 certificates come in.

The entire system relies on a concept called the Trust Chain. At the top of this chain sits the Root Certificate Authority, or Root CA. The Root CA is the ultimate source of truth. In a proper enterprise deployment, this Root CA is often kept offline and air-gapped for maximum security. Its only job is to sign the certificates of the tier below it.

That next tier is the Intermediate CA. The Intermediate CA is online and does the actual day-to-day work of issuing certificates to servers and client devices. By keeping the Root CA offline and using an Intermediate CA, you mitigate massive risk. If the Intermediate CA is compromised, you can revoke it and spin up a new one using your secure Root CA.

At the bottom of the chain are the Leaf Certificates. These are the actual certificates installed on your RADIUS server — the Server Certificate — and on your end-user devices — the Client Certificates.

So, how does this work in practice during an EAP-TLS authentication? It's a mutual authentication process. When a device attempts to connect to the WiFi Access Point — the Authenticator — it communicates with the RADIUS Server. The RADIUS server presents its Server Certificate to the device. The device checks this certificate against its trusted Root CAs. If it validates, the device knows the network is legitimate.

Then, the device presents its own Client Certificate to the RADIUS server. The server validates the client's certificate. Once both sides have verified each other's digital passports via the Trust Chain, the TLS handshake completes, and access is granted. No passwords to steal, no shared keys to guess. Just cryptographically secure, mutual authentication.

Now let's talk about how this maps to the IEEE 802.1X standard. EAP-TLS is defined within 802.1X, which is the port-based network access control framework. In an 802.1X deployment, you have three roles. First, the Supplicant — that's the client device trying to access the network. Second, the Authenticator — that's your WiFi access point or network switch. Third, the Authentication Server — that's your RADIUS server. The access point acts as a gatekeeper, passing authentication messages between the client and the RADIUS server without ever seeing the actual credentials. This architecture is fundamental to understanding why PKI is so powerful in a WiFi context.

Let's also consider the X.509 certificate format itself. Each certificate contains several critical fields. The Subject, which identifies who the certificate belongs to. The Issuer, which identifies the CA that signed it. The Public Key, which is the cryptographic key associated with the subject. The Validity Period, which defines the start and end dates. And the Signature, which is the CA's cryptographic stamp of approval. When a RADIUS server or client device validates a certificate, it checks all of these fields, including whether the certificate has been revoked.

[Implementation Recommendations & Pitfalls — 2 minutes]

When you're planning this deployment, one of the biggest decisions is whether to use a Public CA or a Private CA.

For your RADIUS server, you can use a Public CA — like DigiCert or Let's Encrypt. The benefit here is that most client devices already trust these public roots out-of-the-box. However, for issuing Client Certificates to thousands of corporate devices, you absolutely need a Private CA. You don't want to pay a public provider for every staff laptop and scanner, and you need complete control over the issuance and revocation lifecycle.

A common pitfall we see in large hospitality or retail deployments is failing to plan for certificate revocation. What happens when a staff laptop is stolen? You must have a robust Certificate Revocation List, or CRL, or use the Online Certificate Status Protocol, known as OCSP, so your RADIUS server knows to immediately reject that specific certificate.

Another critical implementation detail: do not let your certificates expire silently. I've seen entire hospital wings lose WiFi access because a single server certificate expired, breaking the trust chain. Implement automated monitoring and alerting well before expiry dates. A good rule of thumb is to alert at 90 days, 60 days, and 30 days before expiry, and automate renewal at 60 days.

[Rapid-Fire Q&A — 1 minute]

Let's tackle a few common questions we get from network teams.

Question one: Can we just use MAC address filtering instead of PKI?

Absolutely not. MAC addresses are trivially spoofed using freely available tools. MAC filtering provides zero cryptographic security and fails basic compliance audits like PCI DSS. EAP-TLS with PKI is the gold standard, and for good reason.

Question two: Does this apply to guest WiFi?

Generally, no. PKI and EAP-TLS are for secure, internal corporate access — staff devices, point-of-sale terminals, and corporate laptops. For guest access, you want a seamless captive portal solution, which is where Purple's Guest WiFi platform excels. Trying to deploy certificates to unmanaged guest devices is operationally impractical and creates a poor user experience.

Question three: How do we get the certificates onto the devices?

You need a Mobile Device Management, or MDM, solution such as Microsoft Intune or Jamf. You push the Root CA, the Intermediate CA, and the individual Client Certificates down to the devices automatically via policy. Do not try to install these manually — it simply does not scale.

[Summary & Next Steps — 1 minute]

To wrap up: PKI is the foundational trust layer for secure enterprise WiFi. You need a clear hierarchy with a Root CA, an Intermediate CA, and Leaf Certificates. EAP-TLS leverages this hierarchy to provide mutual authentication, eliminating the risks associated with passwords and shared keys.

For IT directors, understanding this architecture is the prerequisite for deploying robust, compliant network access. Whether you're securing point-of-sale systems in retail, staff networks in hospitality, or clinical devices in healthcare, PKI is non-negotiable.

The key takeaways from today's briefing are these. First, use a Public CA for your RADIUS server certificate and a Private CA for client devices. Second, always keep your Root CA offline and air-gapped. Third, deploy certificates via MDM — never manually. Fourth, implement OCSP for real-time revocation checking. And fifth, automate certificate renewal to prevent outages.

Thank you for joining this technical briefing. For more detailed deployment guides and to see how Purple integrates with your secure network architecture, visit purple.ai.

Resumen ejecutivo

Para los responsables de TI, arquitectos de red y directores de operaciones de recintos, proteger las redes WiFi corporativas y de personal es un requisito operativo y de cumplimiento crítico. Los métodos de autenticación heredados, como las claves precompartidas (PSK) o el filtrado de direcciones MAC, son insuficientes para los entornos empresariales modernos, lo que deja a las redes vulnerables al robo de credenciales y a la suplantación de dispositivos. Para lograr una seguridad robusta y auditable, las organizaciones deben realizar la transición a la autenticación basada en certificados, específicamente EAP-TLS (Extensible Authentication Protocol-Transport Layer Security).

El despliegue de EAP-TLS requiere una comprensión sólida de la Infraestructura de Clave Pública (PKI). Esta guía desmitifica la PKI para los administradores de WiFi, explicando las funciones de las Autoridades de Certificación (CA), la mecánica de la cadena de confianza y las diferencias prácticas entre los certificados de servidor y de cliente. Al dominar estos fundamentos, los equipos de TI pueden diseñar e implementar con confianza soluciones de acceso a la red seguras y escalables en recintos de hostelería , retail y del sector público, garantizando el cumplimiento de estándares como PCI DSS y GDPR, al tiempo que proporcionan una conectividad fluida y sin contraseñas para los dispositivos gestionados. Comprender la PKI es también el requisito fundamental para desplegar la autenticación WiFi de personal basada en certificados con Purple.

Análisis técnico detallado

La arquitectura de la confianza: ¿Qué es la Infraestructura de Clave Pública?

La Infraestructura de Clave Pública (PKI) es un marco criptográfico que permite la comunicación segura y la autenticación mutua a través de una red no confiable. En el contexto del WiFi empresarial, la PKI actúa como un sistema de pasaporte digital, verificando la identidad tanto del dispositivo cliente (el suplicante) como del servidor de autenticación de red (el servidor RADIUS) antes de que se intercambie cualquier dato.

Este sistema se basa en certificados X.509, que vinculan una clave pública a una identidad verificada —como el nombre de host de un servidor o la dirección de correo electrónico de un usuario— y están firmados digitalmente por un tercero de confianza conocido como Autoridad de Certificación (CA). La firma de la CA es la garantía criptográfica de que la reclamación de identidad es legítima.

La jerarquía de certificados y la cadena de confianza

La fuerza de la PKI reside en su estructura jerárquica, conocida como cadena de confianza. Esta jerarquía garantiza que cualquier certificado presentado por un dispositivo o servidor pueda rastrearse criptográficamente hasta una fuente de confianza universal. Los tres niveles son los siguientes.

Autoridad de Certificación Raíz (Root CA): La Root CA es el ancla criptográfica de todo el ecosistema PKI. Emite un certificado autofirmado y los dispositivos cliente y servidores confían intrínsecamente en ella. En un despliegue empresarial seguro, la Root CA se mantiene fuera de línea y aislada (air-gapped) para proteger su clave privada de compromisos basados en la red. Su único propósito operativo es firmar los certificados de las CA intermedias.

Autoridad de Certificación Intermedia (Intermediate CA): La CA intermedia actúa como un búfer entre la Root CA altamente segura y el entorno operativo. Está en línea y se encarga de la emisión y revocación diaria de certificados hoja. Esta separación es una estrategia crítica de mitigación de riesgos: si una CA intermedia se ve comprometida, la Root CA puede revocarla sin invalidar toda la infraestructura PKI ni requerir la reconfiguración de cada dispositivo cliente.

Certificados hoja (certificados de entidad final): Estos son los certificados instalados en servidores individuales y dispositivos cliente. Se sitúan en la base de la cadena de confianza y no pueden firmar otros certificados por sí mismos. Existen dos tipos principales relevantes para el despliegue de WiFi. El Certificado de servidor se instala en el servidor RADIUS, lo que permite a los dispositivos cliente verificar que se están conectando a la red corporativa legítima. El Certificado de cliente se instala en portátiles del personal, dispositivos móviles o terminales de punto de venta, lo que permite al servidor RADIUS verificar la identidad de cada dispositivo o usuario específico.

Cómo la PKI sustenta la autenticación EAP-TLS

EAP-TLS es el estándar de oro para la autenticación WiFi segura porque exige la autenticación mutua basada en certificados. Esto significa que tanto el dispositivo cliente como el servidor RADIUS deben demostrar sus identidades entre sí mediante certificados validados contra la cadena de confianza de la PKI, eliminando los riesgos inherentes a los enfoques basados en contraseñas.

Durante el saludo (handshake) EAP-TLS, que opera dentro del marco IEEE 802.1X, el servidor RADIUS presenta primero su certificado de servidor al dispositivo cliente. El dispositivo valida la firma del certificado contra su almacén de Root CA de confianza. Si es válido, el dispositivo tiene una prueba criptográfica de que se está conectando a la red corporativa legítima, no a un punto de acceso malicioso o un "evil twin". A continuación, el dispositivo cliente presenta su propio certificado de cliente al servidor RADIUS, que lo valida contra la CA. Una vez que ambas partes se han autenticado, se establece un túnel TLS seguro y se concede el acceso a la red. No se transmiten contraseñas y no existen secretos compartidos que puedan ser robados.

Esta arquitectura es también la base de WPA3-Enterprise, que exige el modo de seguridad de 192 bits y se basa en los mismos fundamentos de PKI y 802.1X. Para las organizaciones que despliegan puntos de acceso inalámbricos en entornos de alta seguridad, WPA3-Enterprise con EAP-TLS representa la mejor práctica actual.

CA pública frente a CA privada: la decisión de despliegue

Una de las decisiones arquitectónicas más trascendentales en un despliegue de PKI es la elección entre una CA pública y una CA privada. La siguiente tabla resume las ventajas y desventajas.

Criterio	CA pública	CA privada
Coste	Tarifa por certificado (viable para un número reducido de servidores)	Coste de infraestructura, pero sin tarifa por certificado a escala
Confianza del dispositivo	Confiable por defecto en la mayoría de los SO y dispositivos	Requiere que la Root CA se envíe a todos los dispositivos mediante MDM
Control	Limitado; la CA controla las políticas de emisión	Control total sobre la emisión, revocación y ciclo de vida
Mejor caso de uso	Certificado de servidor RADIUS	Certificados de cliente para dispositivos corporativos gestionados
Cumplimiento	Auditable mediante registros públicos de CT	Requiere procesos de auditoría interna

El enfoque recomendado para la mayoría de los despliegues de WiFi empresarial es un modelo híbrido: utilizar una CA pública para el certificado del servidor RADIUS para garantizar una amplia compatibilidad, y desplegar una CA privada (como Microsoft Active Directory Certificate Services o un proveedor de PKI basado en la nube) para emitir certificados de cliente a dispositivos gestionados a escala.

Guía de implementación

Paso 1: Diseñar la arquitectura de la CA

Comience mapeando sus requisitos de certificados. Identifique el número de dispositivos gestionados, los sistemas operativos en uso y la plataforma MDM disponible. Determine si una jerarquía de dos niveles (Root CA + CA intermedia) o de tres niveles es adecuada para la escala y el perfil de riesgo de su organización.

Paso 2: Desplegar y proteger las CA raíz e intermedia

Establezca la Root CA fuera de línea en una máquina dedicada y aislada. Utilice la Root CA para firmar el certificado de la CA intermedia. Asegúrese de que la CA intermedia se despliegue de forma segura en su centro de datos o entorno en la nube y se integre con su proveedor de identidad (IdP) o solución MDM. Almacene la clave privada de la Root CA en un Módulo de Seguridad de Hardware (HSM) cuando el presupuesto lo permita.

Paso 3: Configurar el servidor RADIUS

Instale el certificado de servidor en su servidor RADIUS. Configure el servidor para que requiera EAP-TLS para el SSID corporativo seguro. Asegúrese de que el servidor RADIUS confíe en la CA intermedia que emitió los certificados de cliente y configúrelo para realizar la comprobación de revocación a través de OCSP.

Paso 4: Distribuir certificados a través de MDM

Nunca intente la instalación manual de certificados a escala. Utilice una plataforma MDM como Microsoft Intune o Jamf para enviar el certificado de la Root CA, el certificado de la CA intermedia y los certificados de cliente únicos a todos los dispositivos gestionados mediante una política automatizada. Esto garantiza un despliegue coherente y permite la renovación automatizada.

Paso 5: Implementar y probar mecanismos de revocación

Configure las Listas de Revocación de Certificados (CRL) o el Protocolo de Estado de Certificados en Línea (OCSP). Pruebe el flujo de trabajo de revocación de extremo a extremo revocando un certificado de prueba y confirmando que el servidor RADIUS deniega el acceso dentro del plazo previsto. Para entornos que requieren una revocación casi instantánea —como las redes de TPV de retail — el OCSP es obligatorio.

Paso 6: Supervisar y automatizar la gestión del ciclo de vida

Implemente la supervisión automatizada de la caducidad de los certificados en todos los niveles de la jerarquía. Configure alertas a los 90, 60 y 30 días antes de la caducidad. Automatice la renovación a los 60 días. Este es el paso operativo más impactante para evitar interrupciones en la red.

Mejores prácticas

Imponer la autenticación mutua sin excepción: Asegúrese de que los dispositivos cliente estén configurados para validar estrictamente el certificado del servidor RADIUS. Desactivar la validación del certificado del servidor —un atajo común durante el despliegue inicial— deja a los dispositivos vulnerables a ataques de hombre en el medio (man-in-the-middle) y a la recolección de credenciales, además de violar los requisitos de PCI DSS.

Segregar las redes por método de autenticación: Utilice EAP-TLS para los dispositivos corporativos y del personal en un SSID dedicado. Para el acceso de visitantes públicos, despliegue una solución robusta de Captive Portal como WiFi para invitados en una red totalmente segregada. No intente desplegar PKI en dispositivos de invitados no gestionados.

Auditar la infraestructura PKI regularmente: Realice auditorías trimestrales de los controles de acceso a la CA, las listas de revocación y los registros de emisión de certificados. En entornos de sanidad y retail , este es un requisito de cumplimiento bajo HIPAA y PCI DSS respectivamente.

Integrar con analíticas de red: Una vez establecida la autenticación segura, añada una capa de analíticas de WiFi para obtener visibilidad sobre el comportamiento de los dispositivos, los patrones de conexión y las posibles anomalías. Una red segura es la base de unos datos confiables.

Considerar la integración con SD-WAN: Para despliegues en múltiples sitios en cadenas hoteleras o fincas de retail, la PKI se integra de forma natural con las arquitecturas SD-WAN. Para obtener contexto sobre cómo se complementan estas tecnologías, consulte Los beneficios principales de SD-WAN para las empresas modernas .

Resolución de problemas y mitigación de riesgos

La siguiente tabla asocia los modos de fallo comunes con sus causas raíz y las mitigaciones recomendadas.

Síntoma	Causa raíz	Mitigación
Los dispositivos no pueden conectarse; los registros de RADIUS muestran 'CA desconocida'	El dispositivo cliente no confía en la CA que emitió el certificado del servidor RADIUS	Envíe la Root CA a todos los dispositivos mediante MDM
Interrupción repentina en toda la red para todos los dispositivos corporativos	El certificado del servidor RADIUS o el certificado de la CA intermedia ha caducado	Implemente la supervisión y renovación automatizadas; alerte a los 90/60/30 días
Un portátil robado aún puede acceder a la red	La CRL está desactualizada o el OCSP no está configurado	Cambie a OCSP para la comprobación de revocación en tiempo real
Los nuevos dispositivos no pueden conectarse tras el registro en el MDM	El certificado de cliente aún no ha sido enviado por la política del MDM	Verifique la asignación de la política del MDM y fuerce una sincronización del dispositivo
Fallos de autenticación intermitentes	Desfase horario entre el cliente y el servidor RADIUS	Asegúrese de que todos los dispositivos utilicen la sincronización horaria NTP

Para una comprensión más profunda de la configuración y resolución de problemas de 802.1X, la guía Autenticación 802.1X: Protección del acceso a la red en dispositivos modernos proporciona una orientación de configuración detallada e independiente del proveedor.

ROI e impacto empresarial

La transición a una arquitectura EAP-TLS respaldada por PKI ofrece un valor empresarial medible para los operadores de recintos en múltiples dimensiones.

Mitigación de riesgos y cumplimiento: La eliminación de la autenticación basada en contraseñas suprime el vector de ataque más común para el compromiso de la red. Esto reduce directamente la probabilidad de costosas brechas de datos y simplifica el cumplimiento de PCI DSS (necesario para el procesamiento de pagos), GDPR (para la protección de datos) y las regulaciones específicas del sector. Para los recintos que despliegan sensores de IoT o sistemas de guiado en interiores basados en la ubicación, una red protegida criptográficamente es un requisito previo para la integridad de los datos confiables.

Eficiencia operativa: La automatización del despliegue de certificados a través de MDM elimina la carga operativa de la gestión de contraseñas, reduciendo los tickets de soporte de TI relacionados con la conectividad WiFi. En entornos con alta rotación, como hoteles y retail, donde la incorporación y desincorporación de personal es frecuente, la emisión y revocación automatizada de certificados proporciona un ahorro de tiempo significativo en comparación con la gestión de credenciales compartidas.

Base para servicios avanzados: Una red corporativa segura y autenticada es la base confiable sobre la que se construyen los servicios operativos avanzados. Ya sea desplegando analíticas de WiFi para inteligencia de afluencia, sensores para datos de ocupación en tiempo real o guiado en interiores para grandes recintos, cada una de estas capacidades se beneficia de las garantías de integridad que proporciona la PKI.

Específicamente para los operadores de hostelería , la combinación de una red de personal segura y un portal de invitados bien diseñado —como se explora en Soluciones modernas de WiFi para hostelería que sus huéspedes merecen — representa la arquitectura de WiFi empresarial completa. Para los centros de transporte y los grandes recintos públicos, se aplican los mismos principios a escala.

Términos clave y definiciones

Public Key Infrastructure (PKI)

A framework of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.

The foundational architecture that must be in place before an IT team can deploy secure, certificate-based WiFi authentication using EAP-TLS.

Certificate Authority (CA)

A trusted entity that issues digital certificates, verifying the identity of the certificate subject and binding that identity to a public key with a cryptographic signature.

The central authority in your network that acts as the source of truth for all device and server identities. Without a trusted CA, no certificate-based authentication is possible.

X.509 Certificate

The standard format for public key certificates, defined in RFC 5280. Contains the subject identity, public key, issuer identity, validity period, and the CA's digital signature.

The actual digital passport installed on a laptop or server that proves its identity during the EAP-TLS handshake.

EAP-TLS (Extensible Authentication Protocol-Transport Layer Security)

An 802.1X authentication method that requires mutual certificate-based authentication between the client device (supplicant) and the authentication server (RADIUS). Defined in RFC 5216.

The most secure method for authenticating corporate devices to a WiFi network. Eliminates the need for passwords and provides cryptographic proof of identity for both parties.

Trust Chain

A hierarchical sequence of certificates used to authenticate an entity, starting from the leaf certificate and tracing upward through the Intermediate CA to the Root CA.

The mechanism by which a laptop verifies that a RADIUS server's certificate is legitimate. Each link in the chain is validated until a trusted Root CA is reached.

Certificate Revocation List (CRL)

A periodically published list of digital certificates that have been revoked by the issuing CA before their scheduled expiration date and should no longer be trusted.

A mechanism for blocking access from lost or stolen devices. CRLs are cached and updated on a schedule, meaning revocation may not be immediate — a limitation addressed by OCSP.

Online Certificate Status Protocol (OCSP)

An internet protocol (RFC 6960) used for obtaining the real-time revocation status of an X.509 digital certificate by querying the CA's OCSP responder.

The preferred revocation mechanism for high-security environments. Enables the RADIUS server to check certificate validity in real-time during each authentication attempt, providing near-instant revocation enforcement.

RADIUS (Remote Authentication Dial-In User Service)

A networking protocol that provides centralised Authentication, Authorisation, and Accounting (AAA) management for users and devices connecting to a network.

The central server in an enterprise WiFi deployment that validates certificates and makes the final access control decision. The RADIUS server is the operational core of an EAP-TLS deployment.

IEEE 802.1X

An IEEE standard for port-based Network Access Control (PNAC) that provides an authentication mechanism for devices wishing to attach to a LAN or WLAN.

The overarching framework within which EAP-TLS operates. Understanding 802.1X is essential for configuring access points and switches to enforce certificate-based authentication.

Mobile Device Management (MDM)

A software platform used by IT administrators to remotely manage, configure, and secure mobile devices and laptops across an organisation.

The essential operational tool for deploying certificates at scale. MDM platforms such as Microsoft Intune and Jamf automate the distribution of Root CA certificates, Intermediate CA certificates, and Client Certificates to all managed devices.

Casos de éxito

A 500-room luxury hotel in London needs to secure its staff WiFi network for housekeeping tablets and point-of-sale (POS) terminals. Currently, they use a single Pre-Shared Key (PSK) that has not been rotated in three years and is known to all permanent and agency staff. The IT Director has been tasked with transitioning to a certificate-based architecture before the next PCI DSS audit. How should this be approached?

Phase 1 — Architecture Design: Deploy a cloud-based Private PKI (e.g., Microsoft NDES via Intune, or a dedicated cloud PKI provider) integrated with the hotel's MDM platform. Obtain a RADIUS Server Certificate from a Public CA such as DigiCert.

Phase 2 — Infrastructure Deployment: Configure the RADIUS server with the new Server Certificate and enable EAP-TLS on a new hidden SSID designated for staff devices. Configure OCSP for real-time revocation checking.

Phase 3 — Device Enrolment: Use the MDM platform to push the Private Root CA, the Intermediate CA, and unique Client Certificates to all housekeeping tablets and POS terminals. Verify successful certificate installation on a pilot group of 20 devices before full rollout.

Phase 4 — Migration and Decommission: Migrate all devices to the new EAP-TLS SSID via MDM policy. Confirm connectivity across all device types. After a two-week parallel running period, decommission the legacy PSK network.

Phase 5 — Operational Handover: Document the certificate lifecycle, revocation procedures, and MDM policies. Configure automated expiry alerts and schedule quarterly PKI audits.

Notas de implementación: This phased approach addresses the immediate PCI DSS compliance gap by eliminating the shared PSK. Using a Private CA for client devices avoids per-device certificate costs at scale — critical in a hospitality environment with high device counts and staff turnover. The use of a Public CA for the RADIUS server ensures compatibility if BYOD is later introduced. The parallel running period is essential to avoid operational disruption in a live hotel environment. For further context on hospitality WiFi architecture, see the guide on Modern Hospitality WiFi Solutions.

A national retail chain is deploying EAP-TLS across 200 stores. During pilot testing across five stores, the IT team discovers that when a store manager's laptop is reported stolen and the certificate is revoked in the PKI system, the device can still successfully authenticate to the corporate WiFi for up to 18 hours after revocation. The security team considers this an unacceptable risk given that the device may have access to inventory management systems. How should this be resolved?

The 18-hour delay is caused by the RADIUS server relying on a cached, infrequently downloaded Certificate Revocation List (CRL). CRLs are typically published on a schedule (e.g., every 24 hours) and cached by the RADIUS server, meaning revocation is not reflected in real-time.

The resolution is to reconfigure the RADIUS server to use the Online Certificate Status Protocol (OCSP) as the primary revocation checking mechanism. OCSP allows the RADIUS server to query the CA's OCSP responder in real-time during each EAP-TLS handshake, receiving an immediate 'good', 'revoked', or 'unknown' response for the specific certificate being presented.

Configuration steps: (1) Ensure the Private CA is configured with an OCSP responder endpoint. (2) Update the RADIUS server configuration to query the OCSP endpoint for every authentication attempt. (3) Configure OCSP stapling where supported to reduce latency. (4) Test by revoking a certificate and confirming the RADIUS server denies access within 60 seconds.

Notas de implementación: This scenario highlights a critical operational gap that is common in first-time PKI deployments. Issuing certificates is only half the battle — timely revocation is equally essential. In a retail environment where devices may have access to sensitive inventory data or payment systems, real-time revocation via OCSP is a mandatory control. The CRL approach is acceptable for lower-risk environments where an 18-24 hour revocation window is tolerable, but should never be the sole mechanism for high-risk device categories.

Análisis de escenarios

Q1. Your organisation is migrating from PEAP-MSCHAPv2 (username and password) to EAP-TLS for the corporate WiFi. The network team proposes using the existing Active Directory Certificate Services (AD CS) infrastructure to issue certificates to both the RADIUS servers and all corporate laptops. A member of the team points out that the organisation also has 50 contractor laptops that are not domain-joined. What is the primary compatibility risk, and how should it be addressed?

💡 Sugerencia:Consider how non-domain joined devices will validate the RADIUS server's identity when it presents a certificate signed by your Private AD CS Root CA.

Mostrar enfoque recomendado

The primary risk is that the 50 non-domain joined contractor laptops will not have the private AD CS Root CA in their trusted certificate store. When the RADIUS server presents its Server Certificate during the EAP-TLS handshake, these devices will receive an 'Untrusted Certificate' error and fail to connect. The recommended resolution is to obtain the RADIUS Server Certificate from a Public CA (such as DigiCert or Sectigo) rather than the private AD CS. Public CA roots are pre-installed in the trust stores of all major operating systems, ensuring compatibility with both domain-joined and non-domain joined devices. The private AD CS should be retained solely for issuing Client Certificates to managed, domain-joined devices.

Q2. During a compliance audit for a large NHS hospital trust, the auditor notes that the Root CA is running as a virtual machine in the primary data centre and is permanently connected to the hospital's internal network. The auditor flags this as a critical finding. What architectural change must be implemented, and why is the current configuration a significant risk?

💡 Sugerencia:Consider what would happen to every certificate in the organisation if the Root CA's private key were compromised by a ransomware attack or insider threat.

Mostrar enfoque recomendado

The Root CA must be immediately taken offline and air-gapped. The current configuration is a critical risk because the Root CA's private key is exposed to network-based attacks, including ransomware, lateral movement from a compromised domain account, or insider threats. If the Root CA's private key is stolen or used to sign malicious certificates, the entire PKI infrastructure — and therefore every certificate-authenticated system in the trust — is compromised. Recovery would require revoking the Root CA and re-issuing every certificate in the organisation, a catastrophic operational event. The correct architecture requires the Root CA to be powered on only when signing or revoking an Intermediate CA certificate, with all day-to-day issuance handled by an online Intermediate CA. The Root CA's private key should be stored in a Hardware Security Module (HSM).

Q3. A large conference centre operator wants to implement certificate-based authentication for both their permanent IT staff and the thousands of exhibitors and visitors who attend events. They ask you to design a single PKI infrastructure to serve both groups. What is your recommendation, and why?

💡 Sugerencia:Consider the operational feasibility of distributing certificates to thousands of unmanaged, temporary visitors who may attend an event for a single day.

Mostrar enfoque recomendado

You should strongly advise against using PKI and EAP-TLS for public visitors and exhibitors. Certificate-based authentication requires installing a Client Certificate and often a Root CA profile on the end-user device, which is operationally impossible for unmanaged, temporary devices and creates an extremely poor user experience. EAP-TLS should be strictly reserved for permanent IT staff using managed corporate devices enrolled in the organisation's MDM platform. For exhibitors and visitors, a captive portal solution should be deployed on a completely separate, segregated SSID. This two-network architecture — secure EAP-TLS for staff, captive portal for guests — is the industry standard for venue operators and is the model supported by Purple's platform.

Q4. An IT manager at a retail chain has successfully deployed EAP-TLS across all 150 stores. Six months later, the RADIUS server at 12 stores simultaneously stops accepting client connections. Investigation reveals no certificate revocations have occurred. What is the most likely cause, and what process failure allowed this to happen?

💡 Sugerencia:Consider what all 12 affected stores might have in common from a certificate perspective, and what event could cause simultaneous failures.

Mostrar enfoque recomendado

The most likely cause is that the Intermediate CA certificate — or the RADIUS Server Certificate — has expired. If all 12 stores were configured using the same Intermediate CA or the same batch of RADIUS Server Certificates issued at the same time, they would all expire simultaneously. This is a lifecycle management failure: the organisation did not implement automated certificate expiry monitoring and alerting. The resolution requires renewing the expired certificate(s) and immediately implementing automated monitoring with alerts at 90, 60, and 30 days before expiry for all certificates in the hierarchy, including the Intermediate CA, the RADIUS Server Certificate, and the Root CA.

Conclusiones clave

✓PKI is the cryptographic trust framework that must be in place before deploying EAP-TLS or WPA3-Enterprise certificate-based WiFi authentication.
✓The trust chain has three tiers: an offline Root CA (the trust anchor), an online Intermediate CA (the operational issuer), and Leaf Certificates installed on servers and client devices.
✓EAP-TLS provides mutual authentication — the client verifies the network and the network verifies the client — eliminating the password-based attack surface entirely.
✓Use a Public CA for your RADIUS Server Certificate (for broad device compatibility) and a Private CA for Client Certificates (for cost control and lifecycle management at scale).
✓Always keep the Root CA offline and air-gapped; if it is compromised, the entire PKI infrastructure must be rebuilt from scratch.
✓Implement OCSP for real-time certificate revocation checking — CRL-based revocation introduces unacceptable delays in high-security environments.
✓Automate certificate lifecycle management via MDM and monitoring tools; expired certificates are the leading cause of EAP-TLS network outages.