X.509

X.509 is an international standard for the format of public key certificates. In MDM, X.509 certificates are used for HTTPS server authentication, client authentication (for Wi-Fi/VPN), APNs push notification authorization, and code signing.

What to Know

X.509 certificates are the foundation of trust in digital communications, binding public keys to identities through cryptographic signatures from trusted certificate authorities. Every HTTPS connection, including all MDM traffic, relies on X.509 server certificates to verify server identity and prevent man-in-the-middle attacks. Client certificates enable strong authentication for network access (802.1X Wi-Fi, VPN) without passwords, improving security while reducing credential management overhead. Certificate-based authentication also enables automated authentication for devices and services without human intervention.

X.509’s hierarchical trust model allows organizations to issue certificates from internal CAs while maintaining trust through root certificates installed on devices. Certificate fields (subject name, validity period, key usage) constrain how certificates can be used, preventing misuse. However, certificate lifecycle management is critical — expired certificates break connectivity, revoked certificates must be checked via OCSP or CRLs, and private key compromise requires immediate certificate revocation and reissuance. Organizations must track certificate expiration across all systems and implement automated renewal processes to prevent outages.

Common Scenarios

Enterprise IT: Corporate MDM servers present X.509 certificates for HTTPS authentication, with IT monitoring expiration dates and coordinating renewals before certificates expire. Client certificates are deployed via MDM for 802.1X Wi-Fi authentication and VPN access, enabling password-less network access with certificate-based authentication. IT must maintain certificate infrastructure (internal CA or public CA relationships), track certificate inventory across the estate, and implement certificate revocation procedures for compromised or retired devices. APNs certificates require annual renewal, with strict attention to expiration dates as there is no grace period.

MSP: MSPs manage certificate lifecycles for hosted MDM infrastructure and client-deployed certificates, implementing automated renewal workflows to prevent certificate expiration outages. Multi-client deployments require tracking certificates across diverse client environments, with different CAs, validity periods, and renewal schedules per client. MSPs should implement certificate expiration monitoring with proactive alerts 30-60 days before expiration, providing sufficient time for renewal coordination with clients. Certificate deployment automation via MDM profiles eliminates manual certificate distribution to individual devices.

Education: School districts deploy X.509 certificates for student device Wi-Fi authentication, typically issuing per-device certificates that identify individual devices on the network. Education IT must balance certificate validity periods (longer periods reduce renewal frequency, shorter periods limit compromise exposure) with operational capabilities for certificate renewal and redistribution. Public CA certificates for MDM servers simplify deployment by eliminating internal CA root certificate distribution to BYOD devices. Certificate-based authentication eliminates Wi-Fi password sharing among students while enabling network access control.

In Addigy

Addigy’s cloud infrastructure uses industry-standard X.509 certificates trusted by all Apple devices, with automatic certificate lifecycle management handled by Addigy. Administrators can deploy X.509 client certificates to managed devices through PKCS#12 certificate profiles or SCEP automatic enrollment, enabling certificate-based authentication for Wi-Fi, VPN, and applications. Addigy supports deploying trusted root certificates to establish trust for internal CAs or specific services.

Addigy tracks deployed certificate expiration dates and provides visibility into certificate status across the managed fleet, helping admins identify devices with approaching certificate expiration. Addigy’s APNs certificate management includes expiration notifications and guided renewal workflows, preventing service disruptions from expired APNs certificates. When troubleshooting certificate-related issues, Addigy support can analyze certificate validation errors and help admins identify trust chain problems, expiration issues, or hostname mismatches causing connectivity failures.