Free Trial
Contact Us
Podcast

Root Causes 533: Flexibility Through Multi-CA Trust Models

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
October 7, 2025

We discuss how a static PKI structure can hurt corporate flexibility and resilience. Events like reorgs and M&A activity can cause intractable problems with the wrong PKI setup. Plus, Jason coins the term PKI archeology.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanSo, Jay, companies change over time. They grow. They reorganize. They add and remove business lines. They do M & A activity. When you think about your company today and compare that to what your company might become tomorrow, how does this affect your PKI architecture?
Jason SorokoJason SorokoTim, you know very well that typically PKI architectures usage of publicly trusted certificates, but private CAs and how they're set up quite often are built for static systems. Like really static.
Tim CallanTim CallanI think very much so.
Jason SorokoJason SorokoAnd we brought up earlier today, in one of these recordings that multi-purpose CAs was a thing for a long time. Still is.

Eventually getting rung out for good reasons. I think, Tim, nobody, but nobody is doing a good enough job mapping out their PKI as a whole, and how corporate structures, how they are dynamic, and how your PKI architecture is either fragile because of it, or non-fragile because of it. So in other words, let's say two companies come together, or a business division is split out, this is quite common. And yet, we see a lot of PKI architectures where multi-purpose roots - -
Tim CallanTim CallanThey are both sitting on the same CA or their certs are coming out of the same pool. They're undifferentiated in any way. This is part of the business that gets split. Let's use an extreme scenario. It gets sold.

I'm going to sell this business. I'm going to sell a bunch of functions. There's literally going to be operating infrastructure. There's going to be code that's running, and it's got a bunch of certs that came out of the same pool as stuff that belongs to the parent company that didn't carve it off, and we might not even know which is which.
Jason SorokoJason SorokoTim, we had a podcast a little earlier today where, I think you had said it, taking inventory of your cryptographic assets kills three birds. I think I came up with a fourth one. This is a fifth one.

This really is guys, people who are involved, even at, like, a higher business level, who are thinking about business synergies when things are pulled apart or brought together, M & A or otherwise, a lot of times they don't think about the underlying systems that are sometimes built at an atomic level. Like a multi-purpose route. I think that it's time to get mature as corporate entities to realize that this is why you do two things. You make sure that your purposes of your PKI are at an atomic level.

Single purpose routes. And taking inventory of cryptographic assets. Because if you don't do those two things, refer to the podcast we just recorded on those and we're gonna be publishing soon, you will end up having to do PKI archeology.
Tim CallanTim CallanPKI archeology. So I'm gonna have to go back and puzzle out what keys and certifates and CAs and use cases apply to what parts of the business. As I reshuffle the deck you guys report to this BU now, then what it does is it gets complicated. It's like - tell me if you don't agree - it's almost like a marionette. All the strings are parallel to each other. Now, you take the marionette and you shake it around furiously, and all the strings are tangled.
Jason SorokoJason SorokoIt's spaghetti.
Tim CallanTim CallanAnd this happens with your PKI as well.
Jason SorokoJason SorokoIt absolutely can. Because trust models can get so complicated. Let's think about this one for a moment, Tim. I'll throw a really pragmatic example of the marionette strings intertwining.

Two businesses were brought together. It made sense at the time from a business standpoint, and the people who were in the trenches were like, make it work. So they cross-signed two PKI systems that had never trusted each other before. It’s now six years later. Oh, we got to sell these things. That business unit didn't work out. Or it worked out so well that we want to sell now at the peak of its value.
Tim CallanTim CallanThey're completely entangled.
Jason SorokoJason SorokoYou're doing PKI archeology. Who is talking about this? Nobody. This was the theme of the chats today, Tim. Is, what are some things that are just fundamentally important, but nobody's talking about.
Tim CallanTim CallanSo it feels like we can plan for this. Like we can make choices now that protect us, or at least mitigate - probably don't eliminate - but at least provide some protection against entanglement spaghetti mess and the associated problems down the road. So we talked about them. It is definitely single purpose roots. It is single purpose CAs. It is clear inventory of certificates and discipline around implementing where those certificates are used. So a very common thing that you see, very common, is there's a pool, and everybody just scoops out of the pool as need be, and all of the substance in the pool is identical. And that can lead to inability to trace things back to where they go.
Jason SorokoJason SorokoAbsolutely. So, Tim, if you think about this - What we're trying to say is, there's so many reasons to take inventory of cryptographic assets.

We're just sitting here on these Earth couches. We've got multitudes now, of reasons. I would say this. As part of your inventory taking - remember, it was where are the certificates themselves? Where are the other key materials that might not even be certificates.

What are the crown jewel secrets that are encrypted potentially or signed with these key material. And then, my God, if you don't have a map of your trust model, you're going to have to do PKI archeology at a point that you don't want to. Therefore, as part of your inventory, and this is what this podcast is, what I'm trying to suggest is - -
Tim CallanTim CallanLet’s add CPSs to the list?
Jason SorokoJason SorokoAdd CPSs to the list because they have to map up with the trust models you have overall. They're very CA specific.
Tim CallanTim CallanThey might be different. Like you might have different practices under different circumstances. Why don't you capture these as individual CPSs? So you can marry the important practices to the use case.
Jason SorokoJason SorokoTherefore, I think that you and I only - not too long ago - did a reminder episode that, by the way, we don't talk about trust models often.

But this highlights where trust models could smack you in the head, is when you're not aware of them; you haven't mapped them out fully in your organization; you don't know where all the spaghetti strings are on your marionette; you don't want to have to map this out at the last minute. In other words, final line, PKI archeology as a panic mode exercise might be one of the most painful things you could ever do. So don't ever become a PKI archeologist.
Tim CallanTim CallanFind yourself, put yourself in a situation where you're not going to find yourself being forced to do PKI archeology.
Jason SorokoJason SorokoBe a PKI cartographer. Right now.
Tim CallanTim CallanNice. Don't be a PKI archeologist, be a PKI cartographer. I love it.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud