PKI implementation planning, your guide before diving in

Last updated: 10 April 2017

We’ve been blogging a bit more Diving into PKI Implementationlately about PKI and how it’s making a big comeback.  Once thought of as complex and overwhelming, IT administrators in fields such as healthcare, enterprise, critical infrastructure and law enforcement are looking to PKI to provide military-grade security they need to fight against constant and increasing security threats.

Plan, Plan, Plan
Again going back to the old days, implementing a PKI infrastructure was thought of as impossibly difficult, time consuming and expensive.  We’re here to tell you it’s not always the case.  Depending on the size of your deployment and your desire/need for automation, the difficulty of implementing PKI can vary widely.

Most importantly, before diving head first into a PKI implementation, planning is crucial.  It not only helps you gather all the components and resources you need, but planning can save you hours upon hours of time.  PKI implementations are done in sequential order, so if you ignore the planning part, you may spend much time undoing and going backwards in the process. Trust us, take the time to carefully consider the following planning guidelines.

Key Considerations
There are some key things to consider when mapping out your PKI implementation plan.  I’m going to briefly outline these in this post, but our resident Enterprise PKI expert, Rae Barton, just presented webinar that provides many more juicy PKI details.  You can watch the recorded webinar, PKI – Your Ally in the War Against Security Threats. Back to the Key considerations.

  • Security Policies
    PKI security policy governs an administration, configuration and use of certificates. For instance, you may want to have a physical identity proofing of a user for the first time enrollment, but for a renewal, simple challenge/response questions may be sufficient.  With a self-service issuance deployment, you may want to review issuance requests from users and manually approve them. Such security policy should document a process around
  • CA Deployment Model
    Most organizations will do best with a two-Tier Hierarchy—this is the most common architecture. It is also more secure than the one-tier design (not recommended) because the Root and issuing CAs are separated. In the two-tier, the Root CA is offline, and a subordinate issuing CA is online.   There is also the three-tier model, however with the additional tier comes additional costs and manageability issues.
  • Public CA vs. Private CA
    You can acquire your certificates from a public CA or you can choose to operate an in-house private CA to issue certificates. Whether you decide on a public or private CA will depend on how you plan to use the certificates.
  • Security Aspect
    Storing the private keys of the CA is critical in any PKI.  The best security practice is to store the keys of CAs in a hardware security module.  HSM is a FIPS certified dedicated hardware device, which is separately managed and stored outside of the operation system software. It comes with multiple temper-resistant and self-destructing features in case there’s an evidence of continuous attacks.
  • Manageability
    Once you have set up a PKI environment, you will have to manage day-to-day operations like issuing certificate for users, helping users unblock their device PIN, etc.  The larger your deployment size exponentially increases you need for automating some of these tasks. If you have a large population with different groups of users who need certificates based on different templates and certificate types, management could quickly get out of control without having a tool that allows you automate most of lifecycle management.

So those are some of the key considerations to think about while you’re planning your PKI.  And we can’t stress enough that planning is one of, if not the most important step when implementing PKI in your organization.  Take the time to watch the webinar PKI—Your Ally in the War Against Security Threats, it will be worth it.


Leave a Reply

Your email address will not be published. Required fields are marked *