Organisations of all sizes are interested in deploying a Public Key Infrastructure (PKI) project, to generate digital certificates.
As the complexity of the project is directly dependent on the targeted level of trust, it is considered best to start with a standard level of trust, then move to a higher trust level as the use cases build up: acquiring a Hardware Security Module (HSM) to protect private CA keys, more specialized roles, etc.
In-house PKI: SaaS or On-Premise mode?
Implementing an On-premise PKI means adding a component to your IT system which can issue an unlimited number of certificates, as required, for secure access, authentication of employees, electronic signature for documents, on-line sales, etc.
The in-house PKI functions both as a technical restriction on operation, and as an organisational restriction for separating roles and respecting processes. Installed on the organisation’s infrastructure, there are at least two different roles involved in managing it: an operational team to keep the PKI solution working, and an admin team to manage the issuing and revoking of certificates.
The PKI-SaaS mode avoids technical constraints on operation, keeping only the organisational management aspects, the cornerstone of a PKI solution. It does mean outsourcing one of the two roles, however, which for some organisations may be unacceptable. PKI-SaaS needs a smaller budget than that for an On-Premise PKI. It is preferable if a limited number of certificates is involved.
Is the Microsoft PKI adequate?
If the question arises of whether or not to migrate your Microsoft PKI, the answer is very definitely “yes”! The Microsoft PKI is not sufficient to address all the needs of an organisation. Some of the Microsoft PKI functions (such as the registering authority or the key escrow) are not suitable, and may lack flexibility of use.
There are possible alternatives to the Microsoft PKI:
Opt to migrate to an EJBCA PKI
Migrating from the Microsoft PKI to an EJBCA PKI solution is a standard procedure. The EJBCA PKI has all the functionalities of the Microsoft PKI, and will also provide you with many additional functionalities:
- Close control of access permissions;
- Complete configuration of your certificate templates to suit your needs;
- Support for enrollment protocols, ACME, SCEP, CMP, EST;
- Separating the registration authority from the certifying authority, in order to respect a 3-tier architecture;
- Web interface suitable for all browsers.
Choose a means to strengthen certificate management, with a solution such as BerryCert.
If PKI migration is not an option, and you need closer control of your certificates, a solution such as BerryCert allows you to strengthen your PKI, while offering you:
- Disclosure of all certificates issued;
- Centralized, unified management of the PKI (in-house or outsourced);
- Automated management of certificates on your business applications and network equipment.
What about buying an HSM and carrying out a root key ceremony?
Acquisition of an HSM, along with organising a key ceremony, strengthens the secure management of your private CA keys, and thus of your PKI trust infrastructure. This type of cryptography module essentially ensures it is impossible for you or a third-party to export your private AC keys outside of the HSM context. This resource thus significantly improves the security level of the PKI. Depending on circumstances, it is recommended that it should be deployed after allowing some time for use cases to be built up within the organisation.
The in-house business PKI in On-premise mode is appropriate particularly when a large volume of certificates is involved. It is more expensive to implement than a PKI in SaaS mode, but this option does allow unlimited quantities of certificates to be issued.
Opting for an on-premise PKI plan is a complicated process. It is preferable to call on the services of an expert, to choose the most appropriate solution for your current IT system, your challenges and your needs, as well as providing you with support to put it into operation.