What Is PKI as a Service?

Public key infrastructure (PKI) manages identity and security within Internet communications to protect people, devices, and data. PKI as a Service (PKIaaS) takes that and moves it to the cloud.

How Does Public Key Infrastructure Work?

Public key infrastructure (PKI) is the most common way to manage identity and security within Internet communications to protect people, devices, and data through digital certificates. With the combination of roles, policies, hardware, software, and processes, PKI is the gold standard for authentication and encryption, and PKI-based digital certificates are an essential component of a Zero Trust architecture. The certificates are used to authenticate the identity of the systems involved in digital communication. They provide a secure and encrypted way to understand who you are talking to without fear of malicious actors intercepting communications.

Organizations depend on PKI solutions to authenticate and encrypt information flowing through web servers, digital identities, connected devices, and applications. Establishing secure communications is paramount to ensuring business continuity and proactive risk management as organizations increasingly rely on the Internet for critical business functions and operations.

Public key cryptography is the core technology that enables PKI through two separate but related keys for encryption and decryption. The resulting key pair, a public key used to encrypt a message and an associated private key to decrypt it, is also referred to as asymmetric cryptography. The key pair uses cryptographic algorithms to guarantee that encrypted communications can only be decrypted by the intended recipient, the holder of the secret key. This is important in situations like securing virtual private networks (VPNs) or Internet of Things (IoT) devices, where communication is primarily automated on at least one side.

The Role of Certificate Authorities in PKI

A Certificate Authority (CA) is the organization that acts as the main governing body for digital certificates. They are trusted parties that issue and revoke certificates as necessary. Sectigo is the largest commercial CA in the world and offers the most popular certificate types, including SSL certificates for web browsers and load balancers, code signing certificates, S/MIME email certificates, certificates for IoT devices, digital signatures for document signing, and many others.

To issue a certificate, the CA performs a validation process that verifies the identity of the requester. They ensure that the certificate is valid and the identity has been verified to the extent required. To revoke a certificate, the issuing CA must put the certificate information on the certificate revocation list (CRL) and follow a process to make sure that it cannot be used anywhere.

For organizations that implement PKI to secure their systems, certificate lifecycle management (CLM) is a crucial consideration. This includes the creation, issuance, management, distribution, usage, storage, and revocation of digital certificates. It’s important to consult your CA to understand how this is provided.

Is PKI an AAA?

No. Authentication, authorization, and accounting (AAA) is a common term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security.

Authentication is the only one of the three A’s that applies to PKI. AAA defines that it is not enough to identify yourself - you must also have a record of what you are allowed to do along with everything you actually do. PKI does not provide authorization and accounting for its users. To reach this goal, PKI must be enhanced with a policy-based AAA server for complete access control measures.

This is where a certificate management solution comes into play and the need for PKI-as-a-Service.

PKI-as-a-Service (PKIaaS)

More and more enterprises are moving essential portions of their infrastructure, including PKI, to the cloud. This is an attractive prospect as it can save on costs and provide significant scalability. However, with PKI it is extremely important to secure the root offline and to separately manage the Root CA and issue CAs online for certificate requests and issuance.

PKIaaS offers highly secure and scalable managed PKI combined with end-to-end certificate lifecycle management and automation in the cloud. It allows organizations to separate their key management from their on-premise infrastructure without compromising the security of the root. By establishing this infrastructure in the cloud organizations can utilize the provisioning services of their chosen CA at any time.

While leading cloud technology organizations offer PKIaaS, such as AWS PKI and Microsoft Azure PKI, these solutions only support certificates specific to their platform. Most organizations deploy many different public and private certificate types from many CAs. These organizations need a solution that can automate the management of all of their certificates.

Benefits of PKIaaS

Along with its many use cases, PKIaaS has many benefits. Some of the main benefits of transferring certificate management and automation of certificate services to the cloud include:

Lower Costs

With PKIaaS, there is no infrastructure for enterprises to set up and maintain so overall costs can be lower. Cloud-based PKIaaS reduces the total cost of ownership by eliminating the substantial hardware costs, root key generation, backup and failover software, audit expenses, and high salaries of dedicated experts necessary to maintain an on-premise PKI infrastructure. Additionally, many organizations benefit from consistent predictable pricing and can more easily budget their operating expenses without the exposure to significant capital costs.

Increased Security

Today's threat landscape is increasingly dangerous, even for on-premise security infrastructures that were once thought to be impenetrable. Recent high-profile on-premise breaches, such as Solarwinds and on-premise Microsoft Exchange servers, have put the security of on-premise PKI at risk. PKIaaS provides best-in-class cloud protection for organizational preparedness and cyber resilience with enhanced security and sophisticated hardware security module management for hardware availability and disaster recovery.

Visibility

PKIaaS lets you discover and view the status of all issued certificates through a single pane of glass at any time. Enterprises can discover all certificates installed in their environment plus the expiration dates of them so that they can minimize or eliminate service disruptions due to expired certificates. This service acts as a single source of truth, alleviating the headache of multiple key management portals, across multiple cloud vendors.

Automation Abilities

Enterprises are able to automate digital certificate issuance, installation, and renewal for all public and private CA certificates. PKIaaS offers automation workflow templates matching various automation standards like SCEP and EST.

Scalability

With PKIaaS, certificates can be automatically issued making it easy to ensure security at every volume, be it hundreds, thousands, or millions of certificates. They can be automatically renewed and replaced, giving users a better experience with less downtime. You can also easily revoke PKI certificates at scale, terminating access as needed.

Sectigo PKI

Sectigo is a leading cybersecurity provider of digital identity solutions, including TLS / SSL certificates, DevOps, IoT, and enterprise-grade PKI management, as well as multi-layered web security. Sectigo partners with organizations of all sizes to deliver automated public and private PKI solutions for securing webservers, user access, connected devices, and applications. Sectigo has a variety of offerings related to PKI and PKIaaS.

• Sectigo Certificate Manager is a cloud-based platform that gives you complete visibility and lifecycle control over any certificate in an environment, including private CA certificates. This certificate management system provides the tools, support, and capabilities to reduce risk and control costs.
• Sectigo Mobile Certificate Manager (MCM) can issue and manage certificates and keys across iOS and Android mobile devices without user intervention. Sectigo MCM supports PKI deployment of all certificate types and is interoperable with all leading devices, operating systems, and enrollment protocols.

To learn more about cloud-based certificate lifecycle management and PKIaaS, explore our solutions today!