TL;DR: Using a device certificate held on the endpoint, the article shows that Cato Cloud can require client certificate authentication before a managed device is treated as connected, reducing reliance on password-only access and aligning endpoint trust with device identity, according to Cybertrust Japan. The pattern reinforces certificate-based access control as a practical Zero Trust control for endpoint governance, not just a network feature.
NHIMG editorial — based on content published by Cybertrust Japan: client certificate authentication on managed endpoints with Cato Cloud and Device ID
Questions worth separating out
Q: How should security teams use client certificates for endpoint access control?
A: Use client certificates as one trust signal, not the only one.
Q: Why do client certificates improve Zero Trust endpoint governance?
A: They replace implicit trust with a verifiable device identity check at connection time.
Q: What breaks when certificate lifecycle governance is weak?
A: Access control becomes unreliable when expired, orphaned, or unrevoked certificates remain active.
Practitioner guidance
- Map certificate ownership to device lifecycle ownership Assign a named owner for every endpoint certificate class, including issuance, renewal, replacement, and revocation responsibility.
- Require certificate validation before trusted access Configure access policy so a device certificate is required before the endpoint is treated as connected.
- Shorten revocation and expiry handling windows Review how quickly invalid, expired, or reassigned device certificates are removed from the access path.
What's in the full article
Cybertrust Japan's full blog post covers the operational setup this post intentionally leaves at a higher level:
- The Cato Cloud configuration sequence used to require device certificates at connection time.
- The specific profile and policy settings used to make client certificate authentication mandatory.
- The practical connection test that confirmed endpoints without the certificate could not connect.
- The portable trial setup described for testing the control on a small number of devices.
👉 Read Cybertrust Japan's walkthrough of client certificate authentication on managed endpoints →
Client certificate authentication on managed endpoints: are controls keeping up?
Explore further
Device certificates turn endpoint trust into an identity governance problem. Once a client certificate becomes the gate to connectivity, the lifecycle of that certificate matters as much as the endpoint itself. Issuance, renewal, revocation, and replacement are now access decisions, not just technical administration tasks. That means endpoint trust should be governed with the same discipline applied to other machine identities, with clear ownership and expiry handling.
A few things that frame the scale:
- 57% of organisations lack a complete inventory of their machine identities, according to The Critical Gaps in Machine Identity Management report.
- Only 38% have automated certificate lifecycle management in place, which leaves renewal and revocation exposed to manual failure.
A question worth separating out:
Q: Who is accountable for endpoint certificate governance in IAM programmes?
A: Accountability should sit with the team that owns device identity and access policy, usually across IAM, endpoint management, and security operations. The key is clear ownership for issuance, revocation, inventory, and exception handling. Without that ownership, certificate-based access becomes difficult to audit and harder to defend.
👉 Read our full editorial: Client certificate authentication on endpoints: what changes for IAM