top of page
TIP_horizontal_rgb_white.png

The OpenLAN Community's Journey to PKI 2.0


From DigiCert to Insta — How an Open Community Rebuilt Its Trust Infrastructure


In January 2024, the OpenLAN community embarked on one of its most ambitious infrastructure programs to date: PKI 2.0 — a complete overhaul of the certificate management framework that underpins device identity, controller trust, and zero-touch provisioning across the entire ecosystem.


What started as a response to DigiCert certificates approaching end-of-life became a community-wide transformation — spanning requirements gathering, protocol selection, vendor evaluation, tooling development, infrastructure buildout, and live migration of thousands of devices worldwide.



The Challenge: End-of-Life for PKI 1.0

Under PKI 1.0, OpenLAN relied on DigiCert as its CA, with the TIP Certificate Portal managing certificate issuance. This legacy model had critical limitations:

  • DigiCert certificates reaching expiry, with the lookup service scheduled for decommission by March 2026

  • No automated certificate enrollment or renewal protocol

  • Controller discovery tightly coupled to DigiCert's infrastructure

  • No standardized mechanism for air-gapped deployments

  • Fragile device portability between controller vendors

The community recognized that a fundamental redesign was needed — not just a vendor renewal.


Phase 1: Requirements & Protocol Selection (Jan – Jun 2024)

The PKI working group kicked off on January 8, 2024, led by Steve Martin's presentation on the state of the Root CA and controller lookup. Over the following months, the community held weekly calls to define requirements, debate architecture, and identify champions.

Key contributors: 

  • Paul White (Shasta Cloud): call flow design & EST proposal

  • Charlie Allgrove (GlobalReach): birth cert vs. key-based identity, Hardware GUID approach

  • Scott Kamp & Marcel Chenier (NetExperience): PoC for air-gapped and global flows

  • Jack Raynor (NetExperience): facilitation & documentation

  • Dan Pitt (Join Digital) & Stephane Bourque (Arilia Wireless): simplified CA resolution

  • Jaspreet Sachdev (Kinara Systems): requirements coordination

  • Doron Givoni (Shasta Cloud): governance & onboarding

A pivotal decision came in May 2024: the community initially explored ACME but discovered its TLS challenge required devices to expose an open port — a non-starter for field APs. Paul White then presented EST (Enrollment over Secure Transport, RFC 7030), which became the protocol of choice — allowing devices to securely enroll using their birth certificate, with no open ports required.

The community established the two-certificate model:

  • Birth Certificates — Embedded at factory, 10-year validity

  • Operational Certificates — Obtained dynamically via EST post-deployment, 5-year validity


Phase 2: Vendor Evaluation & Selection (May – Sep 2024)

An RFP was issued to six vendors: DigiCert, Entrust, Keyfactor, GlobalReach, Optim, and Insta — covering Root CA, EST support, cloud discovery, SLA, and cost. By September 2024, after revised pricing and technical evaluation, Insta was selected as the official PKI provider.


The community also made the strategic decision to decouple the controller discovery service from the CA — a major architectural improvement that became the Cloud Discovery Service (CDS).


Phase 3: Infrastructure Buildout (Oct 2024 – May 2025)


All PKI 2.0 components were built out in parallel:

Insta CA Infrastructure

  • CA Ceremony completed May 14, 2025 — establishing the OpenLAN Root CA and three Issuing CAs (Birth, Device, Server)

  • 20-year CA validity for long-term stability

  • Certificate Policy (CP) went through 9+ community review iterations before final approval

  • Production endpoints deployed across 4 global regions: Virginia, California, Ireland, Singapore

  • New domain open-lan.org registered for all PKI 2.0 endpoints


Cloud Discovery Service (CDS)

Designed by Varma Chanderraju, Ivan Chvets, and Carsten Schafer as a fully serverless architecture on AWS (API Gateway + Lambda + DynamoDB):

  • mTLS-secured device lookup, RBAC with four role levels

  • Organization management, API keys, and MAC-to-controller mapping via OpenAPI REST

  • Pay-per-use model minimizing operational overhead


PKI Tools & EST Client

  • https://github.com/Telecominfraproject/openlan-pki-tools — Python package replacing the legacy TIP Certificate Portal

  • EST client ported to APNOS using Cisco's open-source libest

  • Automatic re-enrollment at 2/3 of certificate lifetime

  • Re-enroll command added to the ucentral-schema SDK


Phase 4: Testing & Migration (Jun 2025 – Present)

Comprehensive Test Plans

Dedicated test plans for APs and OLS switches covering: birth cert validation, CSR generation, EST enroll/re-enroll, certificate persistence across reboots/factory resets, upgrade/downgrade compatibility (2.x → 3.x → 4.x), dual-boot support, and CRL/OCSP validation.

Migration Paths Validated

  • 3.x GA → v4.1 PKI 2.0

  • 4.0 GA → v4.1 RC3

  • DigiCert (PKI 1.0) → Insta (PKI 2.0) — existing DigiCert certs serve as birth certificates for initial EST enrollment

Special Device Considerations

A dedicated effort catalogued WiFi 5/6/7 devices with varying flash types (NOR, NAND, eMMC) and certificate partition formats across CyberTAN, HFCL, EdgeCore, Yuncore, Indio, and others.

Recovery Planning

Two recovery paths designed for devices that miss the migration window:

  1. Device Rescue Kit (Offline) — Self-contained, air-gapped recovery tool

  2. Full Cloud Recovery Path — Community Rescue Controller in AWS, accepting expired DigiCert certificates to guide devices through firmware upgrade and EST enrollment


By the Numbers

Metric

Value

Program duration

2+ years (Jan 2024 – present)

Community calls held

40+ dedicated PKI sessions

Vendors evaluated

6

CA hierarchy

Root CA → 3 Issuing CAs (Birth, Device, Server)

Certificate validity

Birth: 10y, Operational: 5y, Controller: 3y, CA: 20y

Global regions

4 (Virginia, California, Ireland, Singapore)

Migration paths validated

3 (3.x→4.1, 4.0→4.1, DigiCert→Insta)

Open-source repos published

openlan-pki-tools, openlan-cds

Device families covered

WiFi 5, WiFi 6, WiFi 7 — APs and switches


What Made This Possible


PKI 2.0 is a testament to what an open, collaborative community can achieve. ODMs, controller vendors, solution providers, and operators came together across time zones to define ecosystem-wide requirements, run a transparent RFP process, build open-source tooling, test across dozens of hardware SKUs, and plan recovery scenarios that protect every device in the field.

The result: a secure, scalable, and automated PKI framework that will serve OpenLAN for the next decade.


Beyond the core PKI redesign, the community also closed several critical ecosystem gaps. Air-gapped deployments are now fully supported, allowing operators to run OpenLAN PKI 2.0 in environments with no external connectivity. Controller migration has been validated end-to-end, enabling networks to move between controller vendors without breaking device identity or trust. We also delivered end-to-end MAC traceability, tying device certificates, discovery data, and controller assignment back to a single hardware identity. Finally, we built and tested a robust recovery path for devices that missed the migration window, including both an offline rescue kit and a cloud-based recovery flow, ensuring that even “stranded” DigiCert devices can be brought safely into PKI 2.0.

To all the community members who contributed — thank you. PKI 2.0 is your achievement.


Recent Posts

See All
bottom of page