Introducing the 2024 PKI & Digital Trust Report     | Download the Report


How Keyfactor and CRYPTAS Revolutionized Digital Security for a Leading European Retailer

Interview with Matthias Pankert, VP Product Management
Solutions at CRYPTAS



Outgrowing Microsoft PKI

A large German retail client, reliant on Microsoft PKI, found their security at risk as their technology ecosystem diversified beyond Windows. Microsoft PKI’s limited compatibility exposed vulnerabilities and hampered compliance with EU regulations. CRYPTAS’ solution was needed for a more scalable and secure PKI infrastructure.

Company Overview

CRYPTAS was launched in 2003 with the vision to design a safer digital world through applied cryptography. Today, CRYPTAS works with more than 40,000 clients in 100+ countries. Known as the specialist for certificate-based solutions in complex system environments, CRYPTAS offers solutions for securing digital identities for employees and clients – including strong authentication and encryption – as well as protecting device and system identities on a larger scale (like IoT).


Legacy Microsoft PKI could not keep pace with growth

One of the most popular challenges in today’s environment is the need to shift away from Microsoft PKI. That was the case for one CRYPTAS partner in particular, a large German retail chain. The retailer had used Microsoft PKI for many years, but as their technology ecosystem grew more diverse, including non-Windows servers, network devices, mobile devices, and more, the legacy solution simply couldn’t keep up.

Specifically, with the help of CRYPTAS, the retailer identified that remaining on Microsoft PKI could make their infrastructure more vulnerable to compromise or outages due to the gaps in coverage for non-Windows use cases. And with retail chains considered critical infrastructure in the European Union, it became imperative for the brand to upgrade their security to meet regulations.


Automated PKI deployment to streamline operations

The search for a stable, automated, and future-proof PKI solution led CRYPTAS directly to Keyfactor. CRYPTAS had previously worked with Keyfactor on projects for several other clients and felt confident recommending Keyfactor EJBCA as a solution for the retailer for three key reasons:

  1. The competence and approachability of the Keyfactor team
  2. The well-architected, scalable PKI platform and EJBCA’s software appliance delivery model 
  3. The wealth and maturity of automation APIs that EJBCA offers to support secure operations long term

Keyfactor EJBCA is a superior product. From a feature set, philosophy, and architecture standpoint, EJBCA is a very mature and marketing-leading product. Additionally, the team is very approachable and responsive in cases where we need to troubleshoot.

Matthias Pankert, VP Product Management, Solutions at CRYPTAS

In general, Pankert, shares that Keyfactor EJBCA is often CRYPTAS’ first choice when leading a Microsoft PKI succession. While he notes that finding the right solution for clients depends on many factors, the team often finds that Keyfactor’s combination of maturity, support, and implementation options lead the pack.

With Keyfactor EJBCA selected as the PKI solution of choice, CRYPTAS started implementing a proof of concept. Pinker says the initial implementation went very smoothly, with strong collaboration from both the retailer’s own team and Keyfactor as needed. The proof of concept went well, and the team ultimately used the knowledge gained from that engagement to set up EJBCA in production.

Pankert notes that the CRYPTAS team did not do a one-to-one rip and replace, as this approach can be very disruptive. Instead, the team now has the modern EJBCA In general, Matthias Pankert, VP Product Management, Solutions at CRYPTAS, shares that Keyfactor EJBCA is often CRYPTAS’ first choice when leading a Microsoft PKI succession. While he notes that finding the right solution for clients depends on many factors, the team often finds that Keyfactor’s combination of maturity,support, and implementation options lead the pack.

PKI solution sitting alongside the more traditional Microsoft PKI solution. The retailer will continue using Microsoft PKI forMicrosoft Windows users and PCs while using EJBCA for their many other needs, like mobile devices, servers, microservices, and Kubernetes nodes to name a few.

Over time, CRYPTAS will help the retailer migrate everything to EJBCA, as this phased approach helps avoid outages and major disruptions to the flow of business. Keyfactor EJBCA has already proven so successful that CRYPTAS is working with the retailer on a second phase of the implementation, which includes adding in Keyfactor Command to discover and automate certificates.

Business Impact

Scalable PKI to meet the demands of expanding use cases

Implementing Keyfactor enabled CRYPTAS to introduce more scalable PKI for the retailer. Specifically, Pankert cites the sheer number of systems for which they were able to issue certificates, including mobile devices, printers, web servers, applications, and more.

“As the number of connected systems and entities continues to increase, we also expect to see an increase in certificates and systems that need managing,” he explains. “EJBCA will be used for more and more of those systems within the retailer’s ecosystem, eventually replacing the legacy Microsoft PKI entirely.”

For CRYPTAS and the retailer, this scalability comes down to two important elements of Keyfactor’s offering: First is the ability to secure modern use cases (an area where the legacy approach fell short) and second is the automation available for certificate lifecycle management. Pankert adds: “Keyfactor provides a great degree of automation, replacing previously manual operations. This automation is in line with the explosion of certificates, as you cannot do the job manually any longer. You cannot keep track of all your certificates in Excel sheets. You need to have automation to have certificate renewals happen in the background, and that’s what Keyfactor does well.”

Reduced risk with a modern approach to PKI

Looking deeper at Keyfactor’s modern approach to PKI, the ability to secure cloudbased use cases and introduce a zero trust environment has helped reduce risk significantly for the retailer. “It’s about risk reduction. In the end, it’s the rollout of more certificate-protected identities, where in the past they were unprotected. For example, with Keyfactor, we’ve been able to introduce two-factor authentication based on certificates where previously people were using username and passwords,” Pankert says.

Not only does this modern approach help reduce cyber risk, but it also helps the retailer maintain compliance through the use of zero trust principles and certificate lifecycle management. Critically, this compliance was a top goal for the retailer in introducing a new PKI solution, as the company needs to meet the EU regulations for critical infrastructure.

A future-proof solution with a trustworthy partner

Finally, both CRYPTAS and the retailer feel confident that in working with Keyfactor they found a future-proof solution that can evolve alongside changing industry standards and needs. Pankert has already seen how Keyfactor has evolved both EJBCA and Command to stay up to date with newer standards, and he knows the same will hold true in the move toward post-quantum cryptography.

“Current cryptography will soon become vulnerable to quantum computing, and Keyfactor is preparing for that, as is CRYPTAS. This is something that will keep us busy for the next 2-4 years, and I know Keyfactor is taking care of it so we can feel comfortable helping our clients manage the change,” Pankert shares.

This focus on regular innovation is one of many reasons CRYPTAS and their retail client view Keyfactor as a trustworthy partner for the long haul. Pankert concludes: “There is no doubt for me that Keyfactor is mature, versatile, and capable. Additionally, the fact that Keyfactor comes as a software appliance is very helpful for doing quick implementations that are successful, which stands in contrast to other solutions that can get quite complex. I would definitely recommend Keyfactor for all of these reasons.”

Take the
next step

Learn how we can help you establish digital
trust with a highly scalable, reliable PKI solution