The term public key infrastructure, or PKI, describes a multitude of digital certificates, digital signatures, private keys, and any other encrypted assets in a given organization’s digital environment. PKI is the system that creates and manages trust in the increasingly digital-forward world, verifying digital identities, securing data transmission, and undersigning critical code updates sent over the air to IoT devices. PKI management isn’t limited to large enterprises and complex DevOps teams; even the smallest company with a website and secure email is already in possession of public key infrastructure.
The main functions of PKI are authentication, encryption, and asset signing, which occur along the length of a digital trust chain. The longer the chain, the more complex PKI tends to become, especially where larger enterprises are involved. Understanding the principles of a well-managed, secure PKI is important for enterprises wishing to strengthen their security posture and invest in digital trust long-term.
PKI Core Components
Each public key infrastructure involves many moving pieces working together to create trust in an organization’s digital footprint.
The backbone of PKI is a digital certificate, also often called an X.509 certificate, that contains information about an entity or individual it is issued to, which can be used to prove the authenticity of both the information and its source. A digital certificate is encrypted to be tamper-resistant. RSA encryption is one of the most common encryption algorithms in use today, alongside ECC and DSA. All certificates have an expiry date for added security.
Certificate authorities (CAs) play the role of a trusted third-party that issues digital certificates to organizations based on the verified information provided to them, acting as underwriters for the digital certificates they generate. To assist, registration authorities (RAs) are sometimes involved, collecting the correct information and verifying the entity requesting a digital certificate. Each CA is also required to publish certificate revocation lists (CRLs) that detail all the certificates that have been revoked by the CA before their expiry date and thus shouldn’t be trusted. As an alternative to certificate status checking, the Online Certificate Status Protocol (OCSP) may be used to validate a certificate, which is usually lighter and strains resources less than accessing a CRL.
Additional tools are available to strengthen the PKI trust chain. For example, publicly accessible PKI repositories contain information about certificate authorities that operate in accordance with industry best practices and policies. Such repositories may assist organizations in choosing a CA for their digital certificate needs.
Enterprise Use Cases
While digital certificates can pertain to individuals just as much as organizations, having been adopted as digital IDs in many countries, the clearest use case for PKI still lies with enterprises that routinely adopt hundreds to thousands of encrypted assets into their environments.
SSL/TLS certificates that verify a website’s identity are the most common example. Not only do they signal that the website is operated by the entity it claims to belong to, but they also encrypt the data transferred between the website and the user’s browser, making it more secure and trustworthy. TLS is also required for API services, similarly protecting the data exchange between the clients and the API server. SSL/TLS is a non-negotiable for enterprises communicating with the public digitally in any way.
Internal operations of an enterprise deserve as much consideration as its external assets. Given the distributed nature of today’s workforce and the complexity of in-office IT infrastructure, workforce and device authentication play an important role in managing internal IT environment security. Encrypted email, collaboration tools, and encrypted sign-in all help protect sensitive data and up the defense from cyberattacks, since no PKI is immune from being targeted by threat actors.
When it comes to sharing internal assets externally, such as in software supply chains, for remote collaboration, and with Internet of Things (IoT) device updates, well-managed PKI instills a high level of trust between all parties by utilizing code signing certificates and document signing certificates. These work to ensure that the assets being shared are modified only by authorized parties, have not been tampered with “in transit,” and originate where they say they do. Such certificates are routinely used to ascertain the integrity and validity of data contained in code, documents, and any other files transferred over digital networks.
Operational Challenges of PKI
Rising operational complexity multiplies the difficulties associated with maintaining and keeping PKI secure in accordance with industry standards.
Some of the challenges of PKI at an enterprise level include:
- Using legacy CAs for the issuance of digital certificates, whose encryption algorithms may be too weak or even outdated to withstand the pressures of online security today
- Fragmented tools that make PKI management difficult, cumbersome, and siloed
- Certificate sprawl that manifests in the sheer volume of digital certificates required and the fragmented nature of the tools used to generate them, creating a hard-to-manage, opaque environment
- Shadow IT, a unique challenge faced by large companies with distributed and/or device-heavy workforces that may use unauthorized devices or access data in an unauthorized way, even if well-intentioned, to perform their duties
- Compliance and audit readiness, or lack thereof, due to the absence of a centralized PKI source of truth, logs, and audit trails.
These challenges threaten the integrity and trust of an enterprise PKI. Modernized PKI management, achieved with the help of PKI solutions, may address many of them.
Modernizing PKI
Organizations must face the truth: PKI is a complex system that requires a systematic approach to function well. Any PKI modernization plans should seek to improve visibility, strengthen resilience, and integrate automation into the process. Certificate lifecycle automation and step-by-step visibility are critical for a well-maintained and organized PKI that’s less prone to gaps due to human error. Automation can handle certificate requests, their renewal, and revocation with a light human touch.
PKI management is a shared responsibility that impacts the performance of teams across the organization and should therefore integrate with operations on a broader level. Integrating PKI with ITSM, DevOps, and cloud ensures continuity of operations while lowering friction between teams trying to balance security with agility.
Planning for cryptoagility, or the potential for quick upgrades and retirement of certificates and encryption algorithms in response to emerging trends and threats, is a hallmark of a modernized PKI as well. With post-quantum cryptography (PQC) also looming on the horizon, organizations must be prepared for a rapidly changing landscape in which the current industry standards may become obsolete overnight, and adapt accordingly. A centralized yet nimble, transparent PKI makes it possible.
Conclusion
Enterprises that leverage the value of resilient PKI reap the rewards of agile, secure, and well-maintained systems with lower outage rates and a lower success rate of cyberattacks. Establishing a robust PKI is half the battle; once in place, it requires ongoing maintenance and assessment of its maturity, performance, and gaps in security. Adopting a PKI management solution helps streamline these efforts, paving the way for increased visibility, reliability, and a strengthened security posture. Modernized PKIs protect an organization’s reputation, bottom line, and uphold digital trust—a pricy commodity in today’s digital-first world.
