PKI is not as intimidating as you think. Why not DIY PKI?

Last updated: 22 May 2017

Public Key Infrastructure (PKI) DIY PKIis making a comeback in a big way.  Once thought of as a security solution for only government or large enterprises, PKI is seeing a surge in implementations in small to medium sized business.  But for a small IT staff, implementing PKI may seem intimidating and too complex—not so fast! Depending on the size of your deployment and your desire/need for automation, PKI can be implemented fairly easily.

Planning is essential
In a previous blog, we stressed the need for some serious pre-planning before you dive in and start installing pieces of the full infrastructure all willy-nilly.  Please take a look back at our post “PKI implementation planning, your guide before diving in” for a refresher.  There is also a corresponding webinar and a guide to help you with your plan of action.  Download Key Considerations when Setting up a PKI Environment or watch our “PKI – Your Ally in the War Against Security Threats” webinar.

Before we get too far in the weeds, let’s take a look at the components that make up a PKI

Hardware Security Module (HSM)–HSMs) is a physical computing device that protects and manages digital keys for strong authentication and provides cryptoprocessing.  HSMs can be used for many different purposes. Some of common use cases are:

  • Protection of CA certificates
  • Protection of database encryption keys
  • SSL private key protection
  • Code signing key protection
  • Protection of a master key of CMS

Credential Management System (CMS) — software that allows IT administrators to securely manage their smart card and smart USB token deployments. What does the CMS do you ask?

  • Eliminates burden of manually managing the certificate lifecycle
  • Allows for creation of pre-defined templates
  • Acts as a registration authority
  • Provides self-service tools for users
  • Procedures for Emergency recovery
  • Mobile credential support

Middleware — software that allows the communication between crypto applications and security devices

  • Enables communications with smart card and token
  • Gemalto offers both “plug and play” and advanced middleware deployment options
  • Full management of tokens/smart cards
  • Usually deployed in conjunction with CMS in enterprise environments to automate the credential lifecycle

Authenticators–are the actual devices that enable the enhanced security, such as authentication, file encryption, digital signatures, and secure certificate and key storage. PKI authenticators come in many form factors including:

  • Smart cards (contact and contactless)
  • MicroSD
  • USB tokens
  • Mobile phones (secure element)
  • Software (PC/module)

Let’s do this!
Gemalto developed a process to assist small to medium sized businesses to easily implement a PKI.  This process works with Microsoft servers and Active Directory, so it’s designed for Microsoft environments.  Also, the components used to test and verify this process are Gemalto SafeNet Authentication Manager and SafeNet Luna HSM.  You will also need to select a Certificate Authority before you start.

That being said, let’s take a look at the DIY Five Step process.

  1. Install and configure HSM
  2. Install the root CA and configure it with HSM
  3. Install and configure the issuing CA
  4. Configure user permissions and create certificate templates
  5. Install and configure Credential Management System

Gemalto resident PKI expert, Rae Barton, recently summed this all up in a very informative webinar.  In this session, Rae goes through this process step-by-step with additional instructions, tips and advice.  Check it out for yourself, watch “DIY PKI – A Simple Approach to Your PKI Environment” and download additional PKI resources.


Leave a Reply

Your email address will not be published. Required fields are marked *