By NHI Mgmt Group Editorial TeamPublished 2026-03-16Domain: Governance & RiskSource: Cybertrust Japan

TL;DR: Using a device certificate held on the endpoint, the article shows that Cato Cloud can require client certificate authentication before a managed device is treated as connected, reducing reliance on password-only access and aligning endpoint trust with device identity, according to Cybertrust Japan. The pattern reinforces certificate-based access control as a practical Zero Trust control for endpoint governance, not just a network feature.


At a glance

What this is: This is a walkthrough of client certificate authentication on managed endpoints, showing how endpoint trust can be bound to device-held certificates before access is permitted.

Why it matters: It matters because IAM and device-security teams need to understand how certificate-based endpoint verification changes access decisions for non-human and human workflows alike.

👉 Read Cybertrust Japan's walkthrough of client certificate authentication on managed endpoints


Context

Client certificate authentication is a device trust pattern, not just a login step. In this case, the endpoint must present a device certificate before the access path is treated as valid, which shifts the control point from network location to device identity.

That matters for IAM and endpoint governance because certificate-based checks can narrow access to managed, pre-enrolled devices and reduce dependence on weaker assumptions about where a user connects from. It also shows how Zero Trust ideas become operational when device identity is made a first-class control plane.

The article is typical of organisations trying to move from perimeter trust to device-bound verification, especially where remote access and managed endpoints need a more explicit trust decision.


Key questions

Q: How should security teams use client certificates for endpoint access control?

A: Use client certificates as one trust signal, not the only one. Require the certificate to prove device enrollment, then add posture checks, user identity, and application policy before granting access. That approach works best when certificate issuance, renewal, and revocation are governed as part of the endpoint lifecycle, not handled as ad hoc administration.

Q: Why do client certificates improve Zero Trust endpoint governance?

A: They replace implicit trust with a verifiable device identity check at connection time. That helps Zero Trust because the endpoint must prove it is an enrolled asset before reaching the trusted path. The limitation is that certificate possession does not guarantee the device is healthy, so additional policy still matters.

Q: What breaks when certificate lifecycle governance is weak?

A: Access control becomes unreliable when expired, orphaned, or unrevoked certificates remain active. In that situation, a device can continue to look trusted long after ownership has changed or the endpoint should no longer connect. Weak lifecycle governance turns a strong control into a persistent access risk.

Q: Who is accountable for endpoint certificate governance in IAM programmes?

A: Accountability should sit with the team that owns device identity and access policy, usually across IAM, endpoint management, and security operations. The key is clear ownership for issuance, revocation, inventory, and exception handling. Without that ownership, certificate-based access becomes difficult to audit and harder to defend.


Technical breakdown

Client certificate authentication on endpoints

Client certificate authentication uses a certificate stored on the device to prove that the endpoint is enrolled and trusted. Instead of relying on passwords alone, the access policy checks whether the connecting client can present a valid certificate issued by the organisation's certificate authority or provisioning workflow. That makes the endpoint itself part of the trust decision. In practice, this is a device identity control, not a user authentication control, even though it often complements both. It is strongest when paired with device posture checks, certificate lifecycle management, and explicit policy enforcement at connection time.

Practical implication: treat endpoint certificates as governed identity assets with issuance, expiry, and revocation controls.

Device identity and Zero Trust access control

Zero Trust requires each access request to be evaluated on evidence, not assumed trust. Device certificates give one piece of that evidence by proving the endpoint is an enrolled asset, but the certificate alone does not prove the device is healthy, uncompromised, or properly authorised for every application. That is why certificate-based checks are usually part of a broader access policy that can also include device posture, user identity, and application context. The important architectural shift is that access becomes conditional on the device presenting a verifiable identity before it joins the trusted path.

Practical implication: combine certificate checks with posture and policy controls instead of treating certificates as a complete trust model.


NHI Mgmt Group analysis

Device certificates turn endpoint trust into an identity governance problem. Once a client certificate becomes the gate to connectivity, the lifecycle of that certificate matters as much as the endpoint itself. Issuance, renewal, revocation, and replacement are now access decisions, not just technical administration tasks. That means endpoint trust should be governed with the same discipline applied to other machine identities, with clear ownership and expiry handling.

Zero Trust for endpoints fails when device identity is treated as static. A certificate proves enrollment at a point in time, not ongoing trust for every session or every application. If the endpoint is compromised after enrollment, the certificate can still open the door unless policy evaluates more than possession. Practitioners should read this as a warning that one-time proof of device identity is only a starting point.

Certificate-based access exposes the hidden lifecycle burden behind modern access control. The article shows how easily organisations can move from password-centric access to certificate-centric access without changing their operational model. That shift increases pressure on inventory, renewal, revocation, and ownership processes. The practitioner conclusion is simple: device certificates are effective only when lifecycle governance is treated as core access infrastructure.

Managed endpoints and service identities are converging around the same control pattern. Whether the subject is a laptop certificate, a workload certificate, or another NHI credential, the governance question is identical: who owns it, when does it expire, and how is it revoked. That cross-domain similarity is where IAM, endpoint management, and NHI governance start to intersect in practical programmes.

Endpoint certificate programmes need measurable trust boundaries, not just deployment coverage. A rollout that installs certificates on every device can still leave organisations with weak assurance if revocation is slow, ownership is unclear, or unmanaged endpoints remain in circulation. The real benchmark is whether certificate presence actually defines the access boundary. Practitioners should measure control effectiveness, not installation volume.

From our research:

What this signals

Certificate-based endpoint trust will keep failing operationally unless ownership is explicit. When machine identity inventories are incomplete, certificate enforcement becomes harder to audit and even harder to revoke cleanly. That is the governance pattern here: access control is only as strong as the inventory behind it, and the broader NHI lifecycle gap is already visible across programmes.

Device certificates should be treated as identity assets with measurable lifecycle health. If renewal, replacement, and revocation are not tracked the same way as other access entitlements, endpoint trust degrades over time. Practitioners should expect certificate governance to converge with IAM, endpoint management, and NHI controls rather than sit beside them.

The next programme decision is not whether to use certificates, but whether certificate trust can be administered at scale without manual exception handling. Where that answer is no, the control boundary is already weaker than the architecture diagram suggests.


For practitioners

  • Map certificate ownership to device lifecycle ownership Assign a named owner for every endpoint certificate class, including issuance, renewal, replacement, and revocation responsibility. Keep the certificate inventory aligned to the device inventory so orphaned credentials do not linger after reimaging, decommissioning, or reassignment.
  • Require certificate validation before trusted access Configure access policy so a device certificate is required before the endpoint is treated as connected. Pair that requirement with device posture checks so possession of a valid certificate does not become the only trust signal.
  • Shorten revocation and expiry handling windows Review how quickly invalid, expired, or reassigned device certificates are removed from the access path. Certificate-based access weakens when expired credentials remain usable or when renewal processes are manual and inconsistent.
  • Tie remote access policy to managed devices only Limit certificate-based access to managed endpoints that can be monitored, refreshed, and revoked through standard controls. Treat unmanaged devices as a separate risk class with different authentication expectations.

Key takeaways

  • Client certificate authentication shifts endpoint trust from perimeter assumptions to device identity checks.
  • Machine identity inventory and certificate lifecycle control determine whether that trust model is auditable.
  • Organisations that cannot manage issuance, renewal, and revocation cleanly should expect endpoint trust gaps to persist.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03This article centres on certificate lifecycle and machine identity governance.
NIST CSF 2.0PR.AC-1Access control depends on authenticated devices before connectivity is granted.
NIST Zero Trust (SP 800-207)The article applies Zero Trust to managed endpoint access decisions.
NIST SP 800-53 Rev 5IA-5Certificates are authenticators that require disciplined lifecycle management.

Review endpoint certificate handling against NHI-03 and ensure issuance, renewal, and revocation are controlled.


Key terms

  • Client Certificate Authentication: A device authentication method that requires the endpoint to present a valid certificate before access is allowed. In identity terms, it proves device enrollment and trust at a point in time, but it does not by itself prove the device remains healthy or uncompromised during the session.
  • Device Identity: The identity assigned to an endpoint so systems can recognise it as a managed asset. In practice, device identity is governed through certificates, enrollment, inventory, and revocation, which makes it a lifecycle control as much as an authentication mechanism.
  • Certificate Lifecycle Management: The process of issuing, renewing, tracking, replacing, and revoking certificates throughout their life. For endpoint access, it is the difference between a strong trust signal and a stale credential that continues to grant access after it should no longer be valid.

What's in the full article

Cybertrust Japan's full blog post covers the operational setup this post intentionally leaves at a higher level:

  • The Cato Cloud configuration sequence used to require device certificates at connection time.
  • The specific profile and policy settings used to make client certificate authentication mandatory.
  • The practical connection test that confirmed endpoints without the certificate could not connect.
  • The portable trial setup described for testing the control on a small number of devices.

👉 The full Cybertrust Japan post covers the setup flow, policy changes, and connection test results.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity governance programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-03-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org