Everything You Need To Know About PKI-as-a-Service (PKIaaS)

PKI-as-a-service involves deploying and managing an organization’s Public Key Infrastructure (PKI) on a cloud-based platform. This service handles the entire PKI lifecycle, from setting up a Certificate Authority (CA) to issuing, managing, and revoking end-entity certificates for user’s devices or domains.

Features such as better flexibility, automated procedures, and lower overhead make it simple for your organization to establish strong authentication, data encryption, and integrity control across its digital assets and to secure sensitive data.

Let’s understand the importance of PKI-as-a-Service, considering a scenario where your organization either a small-scale or large-scale is handling the sensitive data like PII (Personal Identifiable Information, Personal Health Information), PCI (Personal Card Information), to make sure the data is protected, the organization must ensure the following:

1. The data-in-transit remains unaltered across the network of organization and creating a secure connection to protect the user’s identity
2. An online web server certificate (for example, SSL/TLS certificate) is required as the organization needs to authenticate devices, users, and internal resources that are access within this application for security reasons.
3. Valid and secure server certificates are a critical compliance control to meet regulatory requirements (eg., NIST, FIPS) such as PCI-DSS. (For more information on the importance of digital certificates, refer this blog)
4. Managing numerous digital certificates manually is both time consuming and human errors prone, which leads to the necessity of automatic certificate issuance, renewal, and revocation processes.

PKI-as-a-Service not only reduces the cost and errors but addresses all the above challenges by automating the certificate lifecycle process from issuing to enrolling a certificate. Before further diving into PKI-as-a-Service, let’s understand the concept of PKI and how it is related to PKI-as-a-Service.

Public Key Infrastructure (PKI)

PKI issues the digital certificate (e.g., SSL/ TLS) to authenticate the data communication using asymmetric encryption, that is, by generating X.509 certificates using public and private encryption keys. These encryption keys facilitate end-to-end encryption.

The various components of PKI are:

1. Public and Private keys

   As mentioned above, public and private keys are used to carry out asymmetric encryption. When a client needs to receive sensitive information, they share their public key with the sender to encrypt the data. This process ensures that only the intended recipient can decrypt and access the information using their corresponding private key.

2. Digital certificates

   The private key signs the digital certificates. These certificates not only serve as the identity of the organization but also confirm them as the rightful owner of the associated public key.

3. Certificate Authority

   The Certification Authority signs the digital certificate using its private key and issues the certificate. These are the centers of trust. There are two types of CA- Root CA and Issuing CA.

   1. Root CA
      • The top-level certificate authority establishes the foundation of trust in the PKI hierarchy.
      • Issues and signs certificates for intermediate CAs.
      • Typically maintained in a highly secure, offline environment to prevent unauthorized access and ensure long-term trust.
   2. Issuing CA
      • Processes and signs end-entity certificate (e.g., SSL/TLS) requests from the MS CA Proxy or other sources.
      • Manages Certificate Lifecycle- Issues, renews, and revokes certificates as needed for various applications.
      • Operates online and is responsible for day-to-day certificate management activities, ensuring the ongoing validity and security of issued certificates.
4. Registration Authority

   The Registration Authority serves as a bridge between users and the Certification Authority (CA). It first verifies the identity of those requesting digital certificates and then forwards the validated requests to the CA for issuance.

Choosing what is right for you- PKI or PKIaaS?

The above-mentioned components utilized to build a PKI, which is equally important for certificates issued by PKI-as-a-Service as it is for On-Prem PKI.

So, what makes PKIaaS more beneficial than traditional PKI solutions?

PKI-as-a-Service is a preferred choice for organizations prioritizing ease of use, cost savings, and faster deployment.

Workflow of PKI-as-a-Service

Starting from the process of initiating the certificate signing request for the point of central coordination and ending with the issuance of the digital certificate, a series of PKIaaS components interact in the below-mentioned steps:

1. Certificate requesters start up

   Any organization (client) could request digital certificates (for e.g., SSL/TLS) using protocols such as ACME, SCEP, or Intune. The process begins by sending the certificate request to the Certificate Enrollment Gateway (CEG). The CEG, using its client certificate builds a secure connection with Certificate Authority Gateway (CAGW) server certificate.

2. Processing the request

   The Certificate Authority Gateway (CAGW) which is hosted on a containerized system, will receive certificate requests and, in turn, forward them to one or more appropriate Managed CAs via a secure intermediatory or proxy server, ensuring all certificates are stored and managed.

3. Connection to the Issuing CA

   The intermediatory or proxy server acts as a bridge between the Certificate Authority Gateway (CAGW) and the designated Issuing CA within the PKI environment. The connection is secured via client and server certificate (hosted on online Issuing CA).

4. Certificate Issuance

   Issuing CA issues the End-Entity Certificate as per the certificate request received using Active Directory Certificate Service (ADCS).

5. Certificate delivery

   After issuing the certificate, it is returned to CAGW through MS CA Proxy. Finally, CAGW sends this certificate, which is now signed, to CEG, which will deliver it back to the client who requested it.

By doing so, the server and client certificate securely handle every step between request initiation until your certificates are delivered to the end-to-end PKI (Public Key Infrastructure) service.

Features of PKI-as-a-Service

PKI as a Service (PKIaaS) provides a comprehensive set of capabilities for managing digital certificates and public-private key pairs, hence strengthening security across the organization. The following are the key features of PKIaaS:

1. PKI infrastructure management
   • Simplified and centralized configurations of manged PKI, allowing easy deployment of Certificate Authorities (CAs) customized according to the organization’s needs (for e.g., optional Root CA separation).
   • Evaluates the complete lifecycle of Root and Issuing CAs, ensuring that industry best practices are followed (for example, utilizing FIPS 140-2 Level 3 HSM to secure the private keys of Certificate Authorities (CAs) with high availability).
2. Certificate Authority security
   • Ensures that Root CA keys (public-private key pair) are created securely and transparently for the users.
   • Automates certificate issuance and renewal by implementing auto-enrollment protocols, such as SCEP (Simple Certificate Enrollment Protocol), EST (Enrollment over Secure Transport), and ACME (Automatic Certificate Management Environment) and REST APIs.
3. Policy and Compliance Management
   • Defining and implementing certificate policies and practices, such as certificate profiles, validity periods, and key usage constraints, customized to meet your organization’s security requirements.
   • Ensuring adherence to industry best practices regulatory requirements (e.g., NIST, FIPS, GDPS).
4. Integration and Automation
   • Utilizing RESTful APIs to integrate PKI services with other applications and systems within your organization to facilitate certificate management and deployment.
   • Scripts and tools to automate certificate issuance and management processes.

Use cases

1. Supported protocols

   To automate the process of enrolling users and devices for digital certificates while ensuring that all security controls are properly applied across your organization. Let’s break down the supported protocols that ensures an automates the certificate enrollment and issuance process:

   1. Automated Certificate Management Environment (ACME)
      • This protocol automates communication between Certificate Authorities (CAs) and clients requesting to issue the server certificates for a domain.
      • The protocol validates the domain ownership for the certificate requests. It typically involves challenges like HTTP-01 (placing a file on the web server) or DNS-01 (creating a DNS record) to prove domain control.
      • ACME clients and servers communicate over HTTPS, ensuring the certificate management process is secure and protected from tampering.
      • By easy integration with CA systems the management of SSL/TLS certificates is simplified.
   2. Simple Certificate Enrollment Protocol (SCEP)
      • SCEP automates the digital certificates enrollment process, reducing manual effort and easing the certificate management process for devices such as routers, switches, etc.
      • The protocol implements secure methods to certificate requests and issuance, such as using PKCS#10 (Public Key Cryptography Standards) for certificate requests.
      • SCEP offers authentication tools to assure valid certificate requests. It verifies the identity of the requesting device or user before issuing a certificate.
      • SCEP is designed to handle large-scale deployments efficiently, making it suitable for environments with numerous devices requiring certificates.
      • SCEP is a PKI communication protocol that allows administrators to automatically and securely issue certificates to mobile devices that implement the protocol.
   3. WSTEP
      • A Windows enrollment client can connect to a Domain Controller through the Certificate Enrollment Policy Web Service and request certificates from multiple Certification Authorities (CAs).
      • WSTEP digital certificates allows only authorized devices to access specified service or network resources, improving overall security.
      • Secure channels and encryption protect sensitive information exchanged during certificate enrollment process.
2. Microsoft Intune Integration
   • Certificate Enrollment Gateway can receive SCEP requests with a CSR (certificate signing request) from Windows clients and send the CSR to Intune for validation. To control user access to enterprise resources and streamline app & device management across hundreds of mobile devices, desktops, and virtual endpoints.
   • Effectively manage cryptographic policies/algorithms to conform with regulations and compliance.
   • Faster invalidation of certificates with automatic revocation in Intune, leading to a better disaster recovery plan.
3. Endpoint Authentication (UEM/MDM)
   • Verify that the certificates are issued with strong security settings, allowing you to keep a tab on certificate usage and validity.
   • The protocol provides username and password authentication.
   • Clients such as the Mobile Device Management (MDM) software must authenticate to Certificate Enrollment Gateway using valid login and password credentials.
   • This setting contains child settings for defining username and password credentials that clients will use to authenticate to Certificate Enrollment Gateway for the MDM protocol.
   • For the MDM protocol, user must define at least one username and password credential.
   • Since only authorized personnel should be allowed to manage sensitive certificate functions, granular access control, and role-based permissions are important compliance (NIST, FIPS 140-2) criteria.
   • Granular access control and role-based permissions are crucial for managing sensitive certificate functions adhering to NIST, FIPS compliance.
   • After the assessment of both integrity checks and security patch levels, certificates can be issued.
4. S/MIME
   • End-to-end encryption of email messages.
   • Separation of the signing and encryption functionality, S/MIME certificates allowing both to be done at once non-repudiation.
   • Key history management and automated backup save the day for uninterrupted storage of cryptographic keys.
   • Works with multiple devices and operating systems like Windows, macOS, iOS & Android.
5. Managed PKI
   • Secure setup for your root CA infrastructure that complies with ISO 27001 standards, safeguarding your cryptographic assets.
   • Maintain full control over your private keys, ensuring complete oversight of your digital certificates and cryptographic operations.
   • Private keys are stored in FIPS 140-2 Level 3 certified Hardware Security Modules (HSMs) to prevent unauthorized access or tampering.
   • CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) services to verify the validity and status of certificates, maintaining trust in your PKI ecosystem.
Enterprise PKI Services

Get complete end-to-end consultation support for all your PKI requirements!

Learn More

Why Encryption Consulting LLC?

Deploy PKI-as-a-Service in your environment.

Encryption Consulting offers a highly flexible, reliable, high-assurance PKIaaS solution with increased scalability and consistent support features, further enhancing the management and functionality of digital certificates across your organization. Here’s a quick look at the key features:

1. Customizable and Scalable Solutions
   • Flexible Integration: We extend a customized framework according to the specific security requirements of your organization, with its broad range and extensive support for different Certification Authorities (CAs), enhancing adaptability.
   • Scalability: Balance the growth of certificates and users without hampering performance.
2. Consistent Support Features
   • High Assurance: We offer strong security features of PKIaaS, and ensure compliance with standards such as HIPAA, PCI-DSS, and GDPR. It helps control and manage certificate policies (mitigating risk and improving digital security).
   • Support reinforcement: Receive necessary support in case of any day-to-day running concern, ensuring it maintains smoother operations.

Different deploying methods:

For ease of deployment in your organization’s environment, we provide the PKIaaS solution to be deployed on various platforms:

• OnPrem PKI: Managed PKI to be deployed within your organization infrastructure, which means that PKI components such as root and issuing Certificate Authorities (CA) are hosted within an on-premises platform.
• SaaS PKI: The PKI setup for certificate lifecycle management to be configured in your organization’s cloud-based platform, enhancing security and establishing digital identities for the users.
• PKIaaS: Automated certificate lifecycle management and custom ManagedPKI to be hosted and managed by Encryption Consulting’s cloud environment with the flexibility of customizing the PKI based on your domain and security requirements.

Conclusion

PKIaaS is a new, high-performance version of the traditional PKI solution hosted in its data center. No matter how big or small your organization is, everyone deals with some sensitive data, such as Personally Identifiable Information (PII) and Protected Health Information (PHI), which means PKIs are a must-have for secure communication. PKIaaS fulfills all these requirements by offering a cloud-based service that manages the entire life cycle of certificates and delivers security, compliance, and operational efficiency.

This secure yet user-friendly solution has been designed to optimize certificate management and increase your security capabilities while keeping costs at bay. PKIaaS has emerged as an ideal solution for businesses coping with digital security and compliance dynamics, offering advanced capabilities to store certificates securely while concurrently facilitating secure communications across all functional boundaries.