IronWifi PKI Infrastructure

IronWifi provides a multi-tiered, HSM-backed Certificate Authority (CA) infrastructure for secure certificate-based WiFi authentication. This document describes the PKI architecture and provides certificate fingerprints for verification.

Architecture Overview

IronWifi offers a modular PKI architecture supporting both:

Hybrid PKI - Customer's signing CA is signed by IronWifi's Root CA
Private PKI - Customers generate their own keypair for signing, which can be:
- Securely transferred to IronWifi for import into HSM-based KMS
- Accessed from the customer's own CloudHSM solution

Security Features

HSM-Based Key Management

All Intermediate Signing CA private keys are stored in geo-redundant, private cloud-based Key Management Servers (KMS) using Hardware Security Modules (HSMs):

Key generation - All private keys are generated directly on HSMs
Key protection - Private keys can never be exported from the HSM
Geographic redundancy - Keys are replicated across multiple regions
Access control - Strict authentication for all key operations

API Security

Communication between the SCEP issuing server and KMS is protected by:

HMAC authentication - All API calls are cryptographically authenticated
Client certificate verification - Mutual TLS for server authentication
Key rotation - Client certificates are rotated after each API call

Certificate Authority Hierarchy

IronWifi uses a three-tier PKI hierarchy:

IronWifi Root CA
├── SCEP Signing Intermediate CA
├── Client Signing Intermediate CA
├── RadSec Signing Intermediate CA
└── Signing Intermediate CA

Root Certificate Authority

The Root CA is the trust anchor for the entire PKI:

Offline and air-gapped for maximum security
HSM-protected private key
Used only to sign Intermediate CA certificates

Intermediate Certificate Authorities

CA Name	Purpose
SCEP Signing Intermediate CA	Signs certificates requested via SCEP protocol
Client Signing Intermediate CA	Signs end-user and device certificates
RadSec Signing Intermediate CA	Signs certificates for RadSec (RADIUS over TLS)
Signing Intermediate CA	General-purpose certificate signing

Certificate Fingerprints

Use these SHA256 fingerprints to verify the authenticity of IronWifi certificates.

Root CA

Property	Value
Name	IronWifi Root CA
SHA256 Fingerprint	`A0 BC E3 6E CE 95 AA 1B DB 61 F5 39 20 E4 91 C1 63 39 BB 10 1C 2D 2D BE F2 53 1E 63 B2 23 A6 C7`

SCEP Signing Intermediate CA

Property	Value
Name	IRONWIFI SCEP Signing Intermediate Certificate Authority
SHA256 Fingerprint	`85 49 95 9A F1 F4 B4 8F 9A D5 A1 F9 95 D7 E4 C5 17 81 E4 BD 6C 23 70 C6 78 87 09 85 C0 2B 5B 24`

Client Signing Intermediate CA

Property	Value
Name	IRONWIFI Client Signing Intermediate Certificate Authority
SHA256 Fingerprint	`55 19 EB 89 A2 CF A7 6D 7C FD 0A 27 8F 31 2B 1E 27 F8 D8 E8 91 93 20 BE 90 15 9E 0D 26 EB 35 B2`

RadSec Signing Intermediate CA

Property	Value
Name	IRONWIFI RadSec Signing Intermediate Certificate Authority
SHA256 Fingerprint	`48 2F 06 21 E1 BA 25 5F 66 1B 6A C0 3D 81 18 18 F7 09 5C 29 04 A3 53 EB 65 AD F6 DC F7 AD FC 79`

Signing Intermediate CA

Property	Value
Name	IRONWIFI Signing Intermediate Certificate Authority
SHA256 Fingerprint	`B2 FA B1 11 F0 CB EB 53 C0 94 4A 67 F1 C0 03 28 74 69 68 E0 94 95 27 61 56 51 2D 40 A7 AD C0 6B`

Verifying Certificate Fingerprints

Windows

certutil -hashfile certificate.crt SHA256

macOS / Linux

openssl x509 -in certificate.crt -noout -fingerprint -sha256

Browser

Click the padlock icon in the address bar
View certificate details
Find SHA-256 fingerprint in certificate info

SCEP Integration

The Simple Certificate Enrollment Protocol (SCEP) allows devices to automatically enroll for certificates:

Device sends Certificate Signing Request (CSR) to SCEP URL
SCEP server validates request using shared secret
Request is forwarded to KMS for signing
Signed certificate is returned to device

SCEP URL Format

https://{{region}}.ironwifi.com/api/{{owner_id}}/certificates/scep

note

For Windows/Intune profiles, remove /scep from the URL as Intune appends it automatically.

Required Parameters

Parameter	Description	Example
`region`	Your data residency region	`us-east1`, `console`, `asia-northeast1`
`owner_id`	Your IronWifi account identifier	Found in console URL

Downloading CA Certificates

Log in to the IronWifi Console
Navigate to Account > Certificates
Download the required certificates:
- IronWifi CA Certificate - For SCEP profiles
- Trusted RADIUS Server Certificate - For WiFi profiles

SCEP & PKI Integration - Step-by-step SCEP setup guide
Intune Integration - Microsoft Intune configuration
Jamf Integration - Jamf Pro configuration

Architecture Overview​

Security Features​

HSM-Based Key Management​

API Security​

Certificate Authority Hierarchy​

Root Certificate Authority​

Intermediate Certificate Authorities​

Certificate Fingerprints​

Root CA​

SCEP Signing Intermediate CA​

Client Signing Intermediate CA​

RadSec Signing Intermediate CA​

Signing Intermediate CA​

Verifying Certificate Fingerprints​

Windows​

macOS / Linux​

Browser​

SCEP Integration​

SCEP URL Format​

Required Parameters​

Downloading CA Certificates​

Related Documentation​