Redirecting you to
Click if you are not redirected within 5 seconds
Podcast Oct 07, 2025

Root Causes 533: Flexibility Through Multi-CA Trust Models

We discuss how a static PKI structure can hurt corporate flexibility and resilience. Events like reorgs and M&A activity can cause intractable problems with the wrong PKI setup. Plus, Jason coins the term PKI archeology.

  • Original Broadcast Date: October 7, 2025

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    So, Jay, companies change over time. They grow. They reorganize. They add and remove business lines. They do M & A activity. When you think about your company today and compare that to what your company might become tomorrow, how does this affect your PKI architecture?

  • Jason Soroko

    Tim, you know very well that typically PKI architectures usage of publicly trusted certificates, but private CAs and how they're set up quite often are built for static systems. Like really static.

  • Tim Callan

    I think very much so.

  • Jason Soroko

    And we brought up earlier today, in one of these recordings that multi-purpose CAs was a thing for a long time. Still is.

    Eventually getting rung out for good reasons. I think, Tim, nobody, but nobody is doing a good enough job mapping out their PKI as a whole, and how corporate structures, how they are dynamic, and how your PKI architecture is either fragile because of it, or non-fragile because of it. So in other words, let's say two companies come together, or a business division is split out, this is quite common. And yet, we see a lot of PKI architectures where multi-purpose roots - -

  • Tim Callan

    They are both sitting on the same CA or their certs are coming out of the same pool. They're undifferentiated in any way. This is part of the business that gets split. Let's use an extreme scenario. It gets sold.

    I'm going to sell this business. I'm going to sell a bunch of functions. There's literally going to be operating infrastructure. There's going to be code that's running, and it's got a bunch of certs that came out of the same pool as stuff that belongs to the parent company that didn't carve it off, and we might not even know which is which.

  • Jason Soroko

    Tim, we had a podcast a little earlier today where, I think you had said it, taking inventory of your cryptographic assets kills three birds. I think I came up with a fourth one. This is a fifth one.

    This really is guys, people who are involved, even at, like, a higher business level, who are thinking about business synergies when things are pulled apart or brought together, M & A or otherwise, a lot of times they don't think about the underlying systems that are sometimes built at an atomic level. Like a multi-purpose route. I think that it's time to get mature as corporate entities to realize that this is why you do two things. You make sure that your purposes of your PKI are at an atomic level.

    Single purpose routes. And taking inventory of cryptographic assets. Because if you don't do those two things, refer to the podcast we just recorded on those and we're gonna be publishing soon, you will end up having to do PKI archeology.

  • Tim Callan

    PKI archeology. So I'm gonna have to go back and puzzle out what keys and certifates and CAs and use cases apply to what parts of the business. As I reshuffle the deck you guys report to this BU now, then what it does is it gets complicated. It's like - tell me if you don't agree - it's almost like a marionette. All the strings are parallel to each other. Now, you take the marionette and you shake it around furiously, and all the strings are tangled.

  • Jason Soroko

    It's spaghetti.

  • Tim Callan

    And this happens with your PKI as well.

  • Jason Soroko

    It absolutely can. Because trust models can get so complicated. Let's think about this one for a moment, Tim. I'll throw a really pragmatic example of the marionette strings intertwining.

    Two businesses were brought together. It made sense at the time from a business standpoint, and the people who were in the trenches were like, make it work. So they cross-signed two PKI systems that had never trusted each other before. It’s now six years later. Oh, we got to sell these things. That business unit didn't work out. Or it worked out so well that we want to sell now at the peak of its value.

  • Tim Callan

    They're completely entangled.

  • Jason Soroko

    You're doing PKI archeology. Who is talking about this? Nobody. This was the theme of the chats today, Tim. Is, what are some things that are just fundamentally important, but nobody's talking about.

  • Tim Callan

    So it feels like we can plan for this. Like we can make choices now that protect us, or at least mitigate - probably don't eliminate - but at least provide some protection against entanglement spaghetti mess and the associated problems down the road. So we talked about them. It is definitely single purpose roots. It is single purpose CAs. It is clear inventory of certificates and discipline around implementing where those certificates are used. So a very common thing that you see, very common, is there's a pool, and everybody just scoops out of the pool as need be, and all of the substance in the pool is identical. And that can lead to inability to trace things back to where they go.

  • Jason Soroko

    Absolutely. So, Tim, if you think about this - What we're trying to say is, there's so many reasons to take inventory of cryptographic assets.

    We're just sitting here on these Earth couches. We've got multitudes now, of reasons. I would say this. As part of your inventory taking - remember, it was where are the certificates themselves? Where are the other key materials that might not even be certificates.

    What are the crown jewel secrets that are encrypted potentially or signed with these key material. And then, my God, if you don't have a map of your trust model, you're going to have to do PKI archeology at a point that you don't want to. Therefore, as part of your inventory, and this is what this podcast is, what I'm trying to suggest is - -

  • Tim Callan

    Let’s add CPSs to the list?

  • Jason Soroko

    Add CPSs to the list because they have to map up with the trust models you have overall. They're very CA specific.

  • Tim Callan

    They might be different. Like you might have different practices under different circumstances. Why don't you capture these as individual CPSs? So you can marry the important practices to the use case.

  • Jason Soroko

    Therefore, I think that you and I only - not too long ago - did a reminder episode that, by the way, we don't talk about trust models often.

    But this highlights where trust models could smack you in the head, is when you're not aware of them; you haven't mapped them out fully in your organization; you don't know where all the spaghetti strings are on your marionette; you don't want to have to map this out at the last minute. In other words, final line, PKI archeology as a panic mode exercise might be one of the most painful things you could ever do. So don't ever become a PKI archeologist.

  • Tim Callan

    Find yourself, put yourself in a situation where you're not going to find yourself being forced to do PKI archeology.

  • Jason Soroko

    Be a PKI cartographer. Right now.

  • Tim Callan

    Nice. Don't be a PKI archeologist, be a PKI cartographer. I love it.

Root Causes - A PKI & Security Podcast

About Root Causes

Tim Callan and Jason Soroko explore the issues surrounding digital identity, PKI, and cryptographic connections in today's dynamic and evolving computing world.

View All