Tech Talk: Replacing Legacy Microsoft CAs with a Modern PKI

PKI is now considered critical infrastructure for today’s enterprises. 

Globally, companies rank their PKI platform as one of the most fundamental and important pieces of their cybersecurity posture. This recognition of importance is a huge step in the right direction for security teams, but it also presents certain challenges as the enterprise security landscape evolves.

As a result, organizations must take a serious look at modernizing their PKI infrastructure. This was the focus behind a recent Tech Talk featuring Eric Clauss, Area Vice President at Keyfactor, and Alex Gregory, VP of Marketplace Products at Keyfactor. You can watch the full session here, or read on for highlights.

Traditional PKI processes are overly complex, costly, and simply can’t scale to meet all of the new use cases. These are serious challenges given the critical nature of PKI in today’s enterprises.

Some of the biggest challenges with traditional PKI include:

• Keeping up with new use cases: Not too long ago, PKI centered around issuing digital certificates to corporate-owned devices. Today, that’s only a small piece of what PKI needs to cover. New use cases are evolving quickly, creating demand for PKI programs to issue certificates for everything from cloud migrations, DevOps processes, and IoT devices.

• CA sprawl: As more use cases pop up, organizations now consume certificates at an incredibly massive rate. In turn, this situation has created CA sprawl as teams spin up new CAs without any standardized policy or visibility so they can deploy new certificates at their convenience. This sprawl happens frequently in DevOps environments, but it’s not limited to just those teams.

• Slow, manual processes: CA sprawl remains so difficult for security teams to get under control because traditional PKI and certificate processes are slow and complex. At a time when teams need a high volume of certificates at a rapid-fire pace, these slow, manual processes simply won’t cut it – all but forcing teams to find workarounds.

• Limited expertise: Finally, PKI is a very specialized industry, and finding team members with the right skills to manage these programs proves difficult. Retaining them is even harder.

These challenges are only magnified by the widespread adoption of Microsoft CA. Unfortunately, the reality is that this solution is built for a world that no longer exists.

For example, Microsoft CA has operational drawbacks, as it only allows one CA per server. This worked just fine when the use cases for PKI were more limited, but in today’s world – which requires deploying thousands of certificates – it results in an overly complex footprint as PKI programs scale. Many companies now have hundreds of servers for the sole purpose of deploying certificates, which is not efficient in any way.

Furthermore, Microsoft CA has limited integration capabilities beyond the Microsoft infrastructure, which proves quite limiting as more and more organizations move to a multi-cloud strategy.

Last, and certainly not least, Microsoft no longer actively supports or develops Microsoft CA, meaning that it will never evolve to meet changing requirements. And as the PKI landscape continues to shift, the disconnect between what enterprises need and what Microsoft CA can provide will only increase further.

Fortunately, there is a path forward. The future demands a powerful and flexible PKI platform, and Keyfactor’s EJBCA Enterprise offers just that.

Whereas Microsoft CA is rooted in the past – perfectly suited for on-premise, static data centers and teams that needed to issue a low volume of certificates with long lifespans – EJBCA is a forward-looking, regularly evolving solution built for teams that have a dynamic, cloud-based environment and need to issue a high volume of certificates with short lifespans.

Diving deeper, a modern PKI solution like EJBCA helps solve the challenges enterprises face currently by offering:

• CA, VA, and RA functionality for a complete PKI solution in a single platform, which allows for centralized management across all use cases
• Unlimited CAs and certificates in a single instance, without having to deploy additional infrastructure, making it much more scalable for modern PKI programs
• Flexible support for all major types of certificates, algorithms and protocols, and HSMs, for a program that allows companies to consume certificates in a variety of ways
• Greater extensibility with a robust API and pre-built integrations that allows the PKI program to extend seamlessly across multiple different clouds
• High scalability with support for clustering and high availability

Notably, EJBCA also offers the ability to deploy in multiple ways. This includes a pre-built, pre-configured software appliance that integrates with HSMs, a hardware appliance for turnkey deployments that offers all the services needed to support a PKI environment, availability in the Microsoft Azure and AWS cloud marketplaces for fast deployment, and a SaaS solution for a fully functional PKI platform backed by cloud HSM and deployed in minutes.

Keyfactor also offers a PKIaaS deployment option for EJBCA, which turns full operation and management over to the expert Keyfactor team so organizations can consume certificates without having to get bogged down in program management.

Retrofitting Microsoft CA – or any other legacy PKI program – to a modern enterprise simply won’t cut it anymore. It creates overly complex PKI architectures that are costly, not anywhere near as scalable as what they need to be, and that simply can’t support the short lifespans of today’s certificates.

A modern solution like Keyfactor EJBCA solves these problems and more. For a deeper look at exactly how it does that, plus a live demo, click here to watch the full Tech Talk.