What is a PKI?

A PKI consists of roles, policies, procedures, hardware, software and a physically secure facility. When built to industry best practice, a PKI can be trusted to generate, manage, distribute, store, use and revoke digital certificates and their corresponding cryptographic keys.

A PKI’s main components are:

Each end entity in a PKI generates at least one pair or cryptographic keys – a public and a private key, the public key is embedded into a certificate that is digitally signed by a Certification Authority. Each key that is generated has a “key usage” and an “extended key usage”, these enable the keys and corresponding certificates to be used by applications for certain usage, examples include: digital signature, client authentication, smartcard logon etc.

Information can be encrypted with a user’s public key\certificate which can then only be decrypted by the holder of the private key.

Information can be digitally signed by the holder of a private key and then verified by recipients using the signers public key.

Digital Certificates can be used to authenticate a server to which your web browser will send information securely, this is called Server Authentication. Digital Certificates can also be used to authenticate a client to a server or other back end process or application such as a wireless network or VPN.

Why is PKI important for business and government?

In this ever-changing world, organisations must ensure the security and integrity of information and the secure identification of people, devices and things. Digital Certificates issued from Certification Authorities that are part of a PKI trust infrastructure offer businesses the highest level of security credentials.

PKI addresses multiple business challenges such as integrity, authenticity and information protection.

What are PKIs used for?

Examples of a PKI in action include:

Is PKI still relevant?

PKI has never stopped being relevant, it was support within business applications that was missing. In fact, PKI was years ahead of its time and it’s worth remembering some of the key business challenges PKI helps to address are integral to everyday digital activities – authenticating people, devices and things.

In the early 2000’s, Software-as-a-Service (SaaS) didn’t exist and so applications and security were provided by the enterprise, apps were inside the corporate network and users connected to the network via a cable.

The world is very different now and the IT landscape has changed significantly. Many users are working remotely, and businesses are using a mixture of in-house and cloud based applications and infrastructure to provide access to data anywhere, at any time.

This data needs to remain secure and the only technology currently available to address complex high security requirements is the PKI – Public Key Infrastructure.

How do I set up a PKI?

Setting up a PKI requires a mixture of roles, policies, hardware, software and procedures. To successfully set-up a PKI, policy and procedure are paramount.

Installing technology is easy and CAs are often installed for individual projects without much thought, which is why many organisations suffer from certificate management challenges.

This issue can be solved with a centralised trust infrastructure built to best practice and a standardised policy along with the use of specialist technology such as Hardware Security Modules to manage and secure certificates.

Organisations including ICAO, NIST, ETSI and CA Browser Forum provide guidance PKI standardisation and the minimum configuration requirements.

Depending on your requirements you will need to consider whether or not you need public or private trust, or both.

There are many Trust Service Providers who operate PKI and digital signature services to help organisations build and operate PKIs.

Best practice enterprise PKI deployments

Organisations should build a central policy authority and centralised certificate service to govern the issuance and management of keys and certificates to reduce non-compliant certificate issuance.

The certificate management team would also be responsible for establishing a hierarchy of Certification Authorities within the business. Built under the organisation’s security policy, the team would own a Certificate Policy and Certificate Practice Statement – these are industry standard documents that provide security and operational guidance on how the certificate services should be built, operated and how end entities should perform enrolment and renewals.

Organisations should also look to establish a preferred supplier(s) for the issuance of public / internet facing TLS (Transport Layer Security) certificates and publicly trusted certificates to support digital signature services for individuals, organisation seals and B2C use cases.