Upgrading Your PKI: How to Build Trust Without Boundaries

Public key infrastructure (PKI) is now a long-established solution for establishing trust in the digital world. But the use cases for PKI have changed significantly in the decades that it’s been around – and they’re continuing to evolve at a rapid pace.

For instance, the rise in multi-cloud and remote work policies has shifted the security focus from protecting the perimeter to securing everything using trusted identities. Unfortunately, legacy PKI deployments can’t keep up with this shift.

Against this backdrop, what do enterprises need to know about upgrading their PKI to meet more modern use cases? To learn more, we recently sat down with Harry Haramis, SVP of Cloud & SaaS Marketplaces at Keyfactor, and Steven Duckworth, Chief Microcomputer Tech Support Specialist at Erie 1 BOCES.

Click here to watch the full conversation, or read on for highlights.

PKI is critical infrastructure in today’s enterprise, now working to establish trust across a variety of digital use cases that span not just people, but machines too. Some of the most common use cases in the modern enterprise include:

• SSL/TLS certificates for web servers
• Mutual authentication and encryption for Internet of Things (IoT) devices
• Authentication to Wifi networks
• Ephemeral certificates to multi-cloud services like containers and workloads
• Digital signatures and encryption for secure email across devices
• Trusted access for mobile apps and mobile devices
• Authentication between routers and firewalls for network devices
• Signatures on containers and software builds for DevOps teams

Two areas, in particular, that are seeing the biggest spike in PKI activity are DevOps and mobile devices as organizations modernize on cloud infrastructure and more employees work remotely using a variety of devices.

Unfortunately, the legacy PKI deployments most enterprises still use are overly complex, costly, and cannot scale to meet these new use cases. They rely on outdated infrastructure that’s slow and can’t meet the demands of new use cases like cloud migrations, hybrid work, and IoT devices. Additionally, they tend to rely on disparate tools that limit security teams’ visibility into certificates and policies across the organization, making it challenging to manage certificates and avoid issues like outages.

On top of the infrastructure challenges, many teams lack the necessary resources to maintain these PKI programs, as people with the right specialized PKI skills are hard to find and even harder to retain.

One of the most common challenges enterprises face in the effort to modernize PKI is a continued reliance on legacy Microsoft Certificate Authority (CA), also known as Active Directory Certificate Services (ADCS).

Microsoft CA has been around since 2000, and while we have seen multiple iterations of it over the years, not all that much has changed since it was first released. As a result, as organizations try to use the 20+-year-old solution for modern PKI needs, they run into serious roadblocks, including:

• • Operational challenges: Microsoft CA only allows one CA per server. At a time when organizations need to issue new certificates from a variety of CAs on a daily basis, this creates an overly complex footprint at scale.
  • Limited integrations: While Microsoft CA integrates well with on-premise Microsoft infrastructure, that’s where it ends. This lack of integration support doesn’t work well as organizations move to a multi-cloud environment.
  • Lack of support: Microsoft is well aware of these limitations and is no longer actively supporting or developing Microsoft CA, meaning that the gap between the limitations of the solution and modern use cases will only continue to widen.

Fortunately, there are several paths to a modern PKI infrastructure in the cloud:

• Managed PKI: The PKI infrastructure is deployed, hosted, and managed by an experienced third party in the cloud. Handing infrastructure and management over to a third party means companies don’t need to worry about having any PKI expertise in-house and can simply consume the certificates that come from the program.

• SaaS/Cloud PKI: The PKI infrastructure is deployed, hosted, and managed by the organization in the cloud. In this case, the backend infrastructure is hosted and maintained by a third party, but the company manages their own program as far as issuing certificates, developing policies, and leading ongoing lifecycle management.

• Hybrid PKI: The PKI infrastructure is deployed, hosted, and managed on-premise and integrated with cloud services. This approach requires internal expertise in PKI configuration as well as ownership over servers and other infrastructure pieces. Hybrid PKI is best suited for situations like manufacturing, where companies don’t want to depend on internet connectivity in a remote factory, but then need access to those devices (via the internet) to renew certificates and provide ongoing firmware updates once they’re in the field.

Even for organizations that are moving to the cloud with Microsoft Azure, these challenges present a major roadblock, as Microsoft does not have a first-party PKI solution in the cloud.

As part of the evaluation process, it’s important for companies to consider needs like trust requirements for public vs. private CAs, security and assurance levels, use cases to support, scalability and availability of PKI solutions, and the required expertise to implement and maintain the PKI program. Equally as important is considering the organization’s current phase of cloud maturity (as well as future plans) to understand what should stay behind a firewall and what can move to the cloud.

Erie 1 BOCES is a New York public school cooperative. When COVID first hit, the demand for remote management for student and staff laptops created a whole new set of needs. Erie 1 BOCES already used Azure Active Directory and Office 365, so the next logical step was to introduce Microsoft Intune for corporate device management.

However, the team quickly realized they would still need a third-party solution to issue and manage certificates to authenticate the remote devices, for example on Wifi networks. This need led the Erie 1 BOCES team to PrimeKey EJBCA Enterprise, a comprehensive PKI solution available in the Azure Marketplace.

As Steven Duckworth, Chief Microcomputer Tech Support Specialist at Erie 1 BOCES, shares, EJBCA was the right fit for the team’s needs because of its ability to:

• Enable a shared service for end-users, including Erie 1 BOCES and other school districts
• Reduce PKI complexity, with support for multiple domains
• Offer a high level of scalability for certificate issuance across thousands of devices (without any per-certificate fees)
• Provide continuity across virtualized and cloud environments
• Deliver active vendor support to keep up with changing cloud infrastructure

The team also found significant value in the fact that EJBCA allowed them to implement and maintain their PKI program internally while still tapping into the expertise of a partner.

Now, Erie 1 BOCES delivers PKI as a shared service using EJBCA in their data center. The team has also found significant value in the direct integration with Intune, which allows them to issue certificates to end-user workstations so they can easily validate onto the Erie 1 BOCES internal wireless networks. On the backend, dedicated EJBCA nodes also manage validation authority services and certificate revocation to cover the complete certificate lifecycle.

If you’re interested in learning more about how a modern PKI program can help you build trust without boundaries, and how organizations like Erie 1 BOCES have made that vision a reality, click here to watch the full webinar on upgrading your PKI featuring Keyfactor and Erie 1 BOCES.