Passwordless Device Identity-Aware Network Access with Hardware-Rooted Security.
Eliminate the security risks associated with SCEP and shared passwords. BastionXP automates certificate-based authentication for WiFi and VPNs, using hardware-rooted attestation. BastionXP ensures only verified, corporate-approved devices can access your network.
Hardware-Backed Trust for the Modern Perimeter
Identity is only as secure as the hardware it lives on. BastionXP anchors your digital certificates to the physical silicon of your fleet, ensuring only genuine, corporate-issued devices can ever touch your network.
Hardware-Rooted Device Attestation
Verify the Silicon, Not Just the Software. BastionXP challenges the device to prove its identity using its TPM (Trusted Platform Module) or Apple Secure Enclave(SE). By verifying the hardware's cryptographic signature, we ensure the device requesting access is a genuine, corporate-issued asset—not a spoofed virtual machine.
Immutable Device Identity
Non-Exportable, Hardware-Bound Keys. Unlike SCEP or manual enrollment, TPM/SE ensures private keys are generated directly inside the device's secure hardware. These keys can never be exported, copied, or stolen by malware, providing an unbreakable link between the digital certificate and the physical machine.
Continuous Posture Verification
Trust is Earned, Then Re-Verified. Device identity isn't a one-time event. BastionXP performs attestation checks during every certificate renewal. If a device’s security posture changes—or if its hardware integrity is compromised—access is automatically revoked in real-time.
Secure Onboarding & Auto-Enrollment
Zero-Touch Deployment via ACME. Eliminate manual CSRs and "Shared Secrets." Using the ACME protocol with Attestation extensions, BastionXP automates the entire device onboarding process. New corporate devices receive their hardware-backed identity silently and securely, with zero user intervention.
Phishing-Resistant Authentication
The Ultimate Defense Against Credential Theft. By tying authentication to a hardware-bound device identity, you eliminate the risk of phishing. Even if an employee's credentials are stolen, the attacker cannot access your VPN, Wi-Fi, or SaaS apps without the physical, attested corporate device.
Unified Fleet Visibility
Inventory-Backed Access Control. Gain a "Single Pane of Glass" view of every attested device in your fleet. BastionXP logs the hardware serial numbers, TPM versions, and OS metadata, allowing you to create granular access policies based on the specific DNA of your hardware inventory.
The SCEP Era is Over
For two decades, SCEP was the industry workhorse. But in a world of sophisticated supply-chain attacks and mobile-first workforces, pre-shared password based authentication is a security risk. If you are still using SCEP to onboard devices to your VPN, Wi-Fi, or SaaS apps, you aren’t practicing Zero Trust—you’re practicing Best-Guess Security.
The Static Secret Problem
SCEP relies on shared challenge passwords that are easily intercepted from MDMs or disgruntled staff. Once leaked, any rogue device can request a trusted certificate, leaving you unable to distinguish a corporate laptop from a hacker’s virtual machine.
Software Keys are Exportable Keys
SCEP allows private keys to be generated in software, meaning they can be exported, cloned, and moved to unauthorized hardware. A single stolen SCEP-issued certificate opens your entire perimeter to persistent, untraceable access.
No Cryptographic Proof of Hardware
SCEP lacks any mechanism to verify the TPM or Secure Enclave, simply assuming the device is legitimate. In an era of sophisticated device spoofing, this lack of hardware attestation is a guaranteed recipe for a major breach.
Zero Trust for the Modern Perimeter
Traditional VPNs and Wi-Fi networks are often the weakest links. BastionXP turns every device into its own secure perimeter using TPM/Secure Enclave attestation.
Corporate VPN & ZTNA
Eliminate credential stuffing. BastionXP issues short-lived, ACME-automated certificates that prove the device’s integrity before the VPN tunnel ever opens.
Enterprise Wi-Fi (802.1X)
Seamlessly onboard corporate laptops and mobiles. Use ACME to rotate certificates automatically, ensuring only managed, healthy devices can join your airwaves.
SaaS & Cloud Apps
Bridge the gap between the browser and the hardware. Use device attestation as a primary factor for SSO & mTLS, ensuring your data stays within corporate-owned assets.
BastionXP ACME Device Attestation
BastionXP doesn't just simplify and automate your certificate management; it gives you the confidence that only 'known-good' hardware has access to your infrastructure.
Request: The device requests a certificate via the ACME protocol.
Attestation: BastionXP challenges the device to prove its identity using its hardware security module (TPM/Secure Enclave) and ACME challenge type Device Attestation (device-attest-01).
Verification: BastionXP verifies the signature of the hardware security module (TPM/Secure Enclave) and validates the device certificate with the manufacturer's CA.
Issuance: Once verified, BastionXP issues a short-lived, cryptographically-signed certificate.
Access: The device uses this certificate to instantly authenticate to your VPN, Wi-Fi, or SaaS apps.
Storage: The device private key never leaves the hardware module and is stored securely in it.
Your Questions, Answered
Need help? Check out our FAQs for instant answers to the most common questions about our platform, features, and support.