Securing networks, with scalable compliant infrastructures based on IPSec, is now commonplace. Specifically, CISCO Routers, Switches, ASA firewalls and VPN solutions like AnyConnect all require properly sourced x509 certificates. The challenge is one based on the proper management and issuance of certificates, especially for devices that are not members of directories and do not have domain credentials - most network appliances fall into this category.
There are several common choices: Microsoft NDES or Cisco NAC, or a combination of both. There are also choices to be made about single sign-on, integration with wireless clients and the general accommodation For BOYD. Many network environments where we have been invited to make recommendations and improvements, generally have grown in an ad hoc fashion, and have no overall certificate and key management policy.
There is also general uncertainty regarding the best way to introduce a cryptographic modernization program, specifically, where there are deprecated algorithms and protocols. So, although SCEP, NDES and NAC provide the mechanisms to provision out of bound certificates to devices and manage them, there is a great deal of thought required into doing this in a way that meets best practice, and provides a scalable future-proof and compliant end game.
We have the experience to help you on this journey and your inquiries are very welcome.