10 Questions and Answers When Deploying a PKI

By Mark B. Cooper

The Nexus  |  Monday, 11 March 2019

Public key infrastructure (PKI) is at the core of the enterprise IT backbone, and its integration with core IT applications is growing, according to the 2018 Global PKI Trends Study by nCipher Security and Ponemon Institute.1 The study states that email and network authentication are typically supported by an organization’s PKI and, in the next 2 years, 42% of Internet of Things (IoT) devices in use will rely primarily on digital certificates for identification and authentication.

It is no secret that a well-designed and deployed PKI will help your organization protect and manage data today and in years to come. However, there are many misperceptions and assumptions about PKI. Deploying PKI in an environment is not a quick process. In fact, 57% of respondents indicate that managing keys can be a very challenging activity, according to another study, Global Encryption Trends Study by Thales and Ponemon Institute.2

In an effort to shed some light on how to properly deploy a PKI, here are the 10 most common asked questions and their (very condensed!) answers:

  1. Do I need a hardware security module? Yes. You know you need it, but the complexity and cost are scaring you away. Your PKI will be nowhere near as secure without it.
  2. Should I publish my Certificate Revocation List to Active Directory (AD)? No. Build a highly available website (2 or more sites) and publish the Certificate Revocation List (CRL) there. You will be providing access to everything in your environment without locking yourself into Microsoft’s AD walled garden of access. Unless you are doing a click-click-click install of Active Directory Certificate Services (ADCS), do not use Lightweight Directory Access Protocol (LDAP) integrated Certificate Revocation List Distribution Point/Authority Information Access (CDP/AIA).
  3. Do I really need 2-person integrity? Yes. Who has access to all of the authentication and information in your organization? Well, indirectly at least, you do (or your network admin does). You may be trustworthy, but what about your new team member you hire a year from now? Everyone’s luck runs out eventually. Do not gamble with your security. Your best administrator today is your worst security nightmare tomorrow.
  4. What should I do with my PKI? Well, besides loving, caring for and talking to it nicely, do what most organizations are doing: Wi-Fi authentication, mobile device management, virtual private network (VPN) authentication, internal Secure Socket Layer/Transport Layer Security (SSL/TLS) and code signing. Be careful of code signing. If you are not careful, it will come back to bite you. Code signing requires careful consideration of how signed items will be verified years down the road. Without proper care, you could be faced with having to locate and resign items repeatedly over the years.
  5. Help me. My PKI XXXXXX needs to be rebooted, restarted and talked to daily or it breaks. Is this normal? No! Your PKI should be like a Sherman tank, slow moving, sturdy and mostly boxy looking. (This keeps the DevOps people from playing with it!) If your PKI is unable to run months on end without daily rituals, then something is seriously wrong.
  6. Will the cloud make my PKI more secure? No, nothing about the cloud will make your PKI more secure. The cloud can be used to make your PKI more accessible and more dynamic, but it does not add a single security layer.
  7. Do I need 2 certification authorities (CA)? No. You only need one CA.
  8. Virtual or physical servers for a CA, which is better? Virtual machines do nothing to improve CA security. Physical is better.
  9. What key size and hash should I use? Do you like secure things? RSA 4096 and SHA384. Do you like to please people? RSA 2048 and SHA256
  10. Another administrator wants a subordinate CA certificate for their fancy appliance. What should I do? Say no! Well, at least make sure they are not completely wrong in their request. Then, if they do need it, make sure you restrict the heck out of that certificate (application policies, path length, etc.).

In a Q and A conducted recently, Jeff Stapleton, coauthor of Security Without Obscurity: A Guide to PKI Operations, stated:

Cybersecurity can help secure cryptography, which includes PKI, but poor key management can undermine cybersecurity. Old algorithms, aging keys, weak access controls, bad processes, buggy software, and undocumented procedures can negate strong cybersecurity. If the gatekeeper is vulnerable, then the gate is vulnerable.3

Mark B. Cooper

Is president and founder of PKI Solutions. He has deep knowledge in all things related to public key infrastructure (PKI) and has been known as “The PKI Guy” since his early days at Microsoft. PKI Solutions Inc. provides consulting, training and software solutions for Microsoft PKI and related technologies for enterprises around the world. Prior to founding PKI Solutions, Cooper was a senior engineer at Microsoft, where he was a PKI and identity management subject matter expert who designed, implemented and supported Active Directory Certificate Services (ADCS) environments for Microsoft’s largest customers.


1 nCipher Security and Ponemon Institute , 2018 Global PKI Trends Study, USA, 2018
2 Thales and Ponemon Institute, Global Encryption Trends Study, USA, 2018
3 Stapleton, J.; W. C. Epstein; Security Without Obscurity: A Guide to PKI Operations, Auerbach Publications, USA, 2016