The constantly expanding and agile organisational infrastructure has made it imperative for businesses to have their own dynamic and robust custom PKI Public Key Infrastructure setup. This helps establish security and trust across their systems, devices, users, and applications, even on non-reliable networks. The surge in the use of public cloud, private cloud microservices, DevOps, and IoT has increased the need for data security. A PKI system helps in user authentication and provides a safe network to protect data while in transit.
A PKI is a framework that provides digital certificates to systems, end-users, applications, and devices to provide them with trusted entities. These identities help in the authentication of the digital certificate holder and establish secure communications with other digital certificate holders throughout the network.
A PKI infrastructure is based on asymmetric key cryptography that uses a public key and a private key pair linked with a certificate issued by a Certificate Authority or CA. The CA uses digital certificates to build trust between the two certificate holders. These certificates also grant access rights to certificate holders and allow them to build a safe network between two certificate holders for communication.
Here is an overview of the important components of PKI Public Key Infrastructure!
The Root CA is responsible for issuing certificates and establishing the root of trust between users to which certificates are issued. The Root CA issues certificates to the Issuing CAs, empowering them to issue certificates
Also referred to as a Subordinate CA, an Intermediate CA is a Certificate Authority put up between the Issuing CA. The Intermediate CA issues certificates on behalf of the Root CA who have several Intermediate CAs working under them as per the PKI hierarchy. However, a single Intermediate CA can have a single Root CA. An Intermediate CA is normally present in a three-tier PKI infrastructure.
The Issuing CA is responsible for issuing the digital certificates to devices, end-users, and other certificate requesters. They are used in two and three-tier CAs.
Public key is a cryptographic key that is generated by an asymmetric key algorithm like the RSA. It can be issued to the public in unison with a digital certificate. It is not needed to store a public key securely as it is open for public distribution.
This is a cryptographic key that forms the other half of an asymmetric key pair. It needs to be stored securely as it is an integral element of authentication.
It stores root certificates issued by various CAs. It also contains intermediate CA root certificates along with end-user certificates. The certificate store indicates trusted CAs to the computer.
CRL is a list that consists of information about revoked certificates, including the reason for revocation and certificate data. CRLs are published at specific intervals potentially resulting in problems with revoked certificates.
These are CRLs that are published in the time that is there when CRLs are published. This encompasses the potential for ignoring a revoked certificate before the next CRL publishing.
Also known as HSM, Hardware Security Model is a vital component of a secure PKI system. It stores the Root CAs private key and the Intermediate CAs private keys. HSMs are highly secure and tamper-resistant.
This is a vital element of the PKI infrastructure that helps maintain the security of certificates while updating them regularly. Below are the different phases of the certificate lifecycle that are used for certificate management!
Certificate enrolment - This phase refers to the initial generation of a certificate. In this phase, a user, device or organisation sends a Certificate Signing Request or CSR to the CA. The CSR possesses the public key and essential details of the requestor. Then, the CA generates the certificate after verifying the information. He then enrols the user in the PKI.
Certificate issuance- After the creation of the certificate and the enrolment of the user in the PKI, the certificate is issued to the user. This allows the user to identify themselves across the digital network of the organisation. This means that every member of the PKI trusts the certificate holder.
Certificate validity - Certificate validity is determined by verifying the chain of trust of the certificate. This entails traversing the certification route and tracing the certificate back to its issuing CA. Then, the certificate of the CA is also verified, and the chain goes on till the Root CA. Such a verified chain of trust confirms the integrity of the original certificate.
Certificate revocation - This happens at the expiry of the certificate when it is not needed anymore or if it is misused or stolen. Such situations lead to the revoking of the certificate, and the revoked certificate is added to the CRL.
Certificate renewal - After the expiry of a certificate, it must be renewed. In this process, the certificate is reissued using the same information and key pair, except for the expiration date, which should be newly updated.
Also known as CP, Certificate Policy refers to a document that sets forth the PKI standards. It allows users and PKI administrators to learn certificate applications, its naming standards, and more.
The Certificate Practice Statement or CPS contains information about PKI procedures that revolve around the standards of the Certificate Policy. The CP instructs the admin or user what to do while the CPS tells how to do that.
Let us discuss the key elements you must know to set up your custom Public Key Infrastructure!
Begin by identifying all present and future needs concerning digital certificates. This means what position your certificates hold within your PKI and what will be used for
Analyse your requirements and choose the type of CA that will fit your requirements. If you intend to use your PKI for your organisation, opting for a Microsoft CA is preferable as it supports Microsoft services. You can also opt for Amazon or Google CAs if your enterprise demands.
Most internal PKIs are set up on-site as per conventional practices. However as more services and applications are migrating to the cloud, your PKI needs to support cloud requirements. It is important to ensure that your CA favours cloud-based requirements to meet the changing demands.
Simply establishing your PKI system does not mean that your enterprise can manage and adapt to all requirements related to PKI. One of the most vital requirements of a PKI Public Key Infrastructure is automating certificate management operations. Additionally, with services such as DevOps and CI/ CD pipeline, it is essential to make provisioning and de-provisioning certificates instant and zero touch. This means that all certificate-related operations are prompt and unaffected by human errors.
It is important to properly secure the private keys of Root and Issuing CAs as they create the root of trust. Moreover, these keys must be stored on an HSM as it ensures maximum security and prevents any misuse or tampering of the keys.
Both CP and CPS determine the policies for your CAs and help you design your PKI Public Key Infrastructure. Plus, these documents serve as a guideline and scope of your CA, instructing whom it can issue certificates to what are its boundaries of working and what methods and procedures it needs to follow.
An essential step in PKI setup is to ensure that all certificates are revoked whenever necessary, and whenever they are revoked, they are kept in the CRL. Also, ensure that your CAs check for new CRLs regularly so that they remain updated on the latest revoked certificates.
Let us now discuss the most common PKI architectures and their key components!
The most popular and common kind of PKI architecture is the two-tier architecture. It is also the most balanced framework preferred by enterprises. It involves the Issuing CAs and the Root CA, and the format is simple to implement without compromising on the security of the PKI.
The two-tier PKI design is simple and prioritizes security enabling the root of trust, namely the Root CA remain offline and stay safe from attacks. As the Root CA is not vulnerable to compromise, there is no risk of certificate misuse or being handled by illicit users. The certificates are generated for their original Issuing CAs, who can issue certificates to end-users.
This is the safest and most secure PKI hierarchy as it consists of multiple links in the chain, which makes it difficult for attackers to break into the PKI system. However, installing a three-tier architecture is a more complex process than installing a two-tier one. With the addition of an Intermediate CA, you need to set up multiple CAs and integrate them within the PKI. The more CAs are required in the PKI, the more complex its implementation and maintenance will be. A three-tier architecture is used less than a two-tier architecture.
Here are some common mistakes you must avoid while deploying PKI Public Key Infrastructure!
If you do not plan the deployment of your PKI architecture, then it could result in security gaps that can easily allow attackers to exploit the system. Poor planning can further lead to poor key and certificate management. You can also experience issues if you ignore proper tracking of PKI assets. To combat such problems, ensure that you get the PKI planning done by PKI professionals who are cybersecurity experts.
It is of utmost importance to ensure the security of the Root CA as it is the root of trust. If there is any exploitation of the Root CA, the overall PKI would require recreation from scratch as the certificates within that PKI architecture would not be trustworthy anymore. It is best to use HSM to secure the keys of Root CAs.
In case of poor Certificate Lifecycle Management or CLM, the security of the certificates can be compromised, and attackers can use them to steal data or get unauthorised access to it. Moreover, if an application or user’s certificate expires without renewal, it can lead to a service outage. This implies that proper automation and monitoring of the certificate lifecycle is integral for the smooth functioning of the PKI and its certificates.
If you want to build your PKI Public Key Infrastructure and enhance the security of your digital ecosystem, then go for the best PKI solutions that offer the highest level of security. eMudhra provides state-of-the-art PKI-related services that help you with the entire PKI setup and implementation to its maintenance. We have great expertise in key management, digital certificates, regulatory compliances, etc., to give your business the biggest security boost.
If you want to explore more on eMudhra’s comprehensive PKI services, contact our team today!