Perils of DIY Private PKI


Written by: Brian Trzupek, Senior Vice President of Product at DigiCert

Private PKI allows you to issue your own private SSL certificates off a unique intermediate root often maintained by a publicly trusted CA. However, many choose to construct and manage their own Public Key Infrastructures — a DIY PKI. For smaller organizations and internal solutions, a DIY PKI may be manageable. Yet, as modern enterprise networks grow and expand into new niche areas of technology, their PKI becomes even harder to manage. It is imperative to understand what it takes to manage a PKI. This can help you determine if you want a DIY PKI solution or the help of a commercial CA to manage your private PKI.

DIY PKI challenges

Enterprises often choose DIY PKI to save money, but the time and effort it takes to manage their own PKI can cost more. Furthermore, if PKI is not managed well, then it is robbed of much of its value. The truth is that DIY PKI often faces a hard time dealing with the complex environments that it’s supposed to help with – especially with enterprise networks that are becoming increasingly complex and multifaceted. Organizations face the pressure to provide PKI across hybrid and multi-cloud environments, and to scale with growth in IoT and other devices accessing the network.

PKI requires close attention to stay up to date with industry standards, be compliant and remain in line with hardware and software updates. Since it needs to be managed carefully, managers need to be somewhat of a PKI expert.

If one is considering a DIY PKI, these are certain questions that one needs to access:
* Do you have someone in your organization who knows how to secure private keys with       an HSM?
* Do you have a backup and recovery plan for the PKI keys and systems?
* As IT infrastructure evolves will your PKI be able to support the latest devices, OSes, use     cases?
* If you are in a compliant industry, you may have audit criteria for your PKI, people,             systems and tools. Are you ready for that?
* Do you understand what the industry may need to interoperate correctly?

* How many users are you enrolling in your PKI? What is your plan to do so without               burying your internal IT staff?
* How will you scale your usage as you grow?
* How will you automate to third party systems?

Additionally, the tools that an enterprise might use to build their own PKI — such as Microsoft CA — come with their own weakness. For example, Microsoft CA still has issues with usability, scalability and vulnerabilities. It can be hard to integrate with complex enterprise networks. Microsoft CA also struggles when handling over 40,000 certificates, which may seem like plenty, but each user can require multiple certificates, so in a large enterprise 40,000 is often not enough.

Moving from data centers to the cloud
Enterprises in India face significant challenges as they move from their own data centers or physical servers and start deploying containers and orchestration environments in the cloud. For example, where the customer had the ability to use static IP addresses as a form of authentication, in the cloud they cannot. They will need strong authentication that is highly automated to a dynamic environment — an environment where that authentication credential can live for a few moments, a few days or a few years. The old notion of using pre-shared keys for authentication is a security risk and extremely difficult
to scale into a dynamic IT environment.

Once you have your systems running in the cloud, you also may not control the network layer, so you will want to add encrypted communications between systems. PKI is a fantastic way to do this; however, this increases the complexity of what you have to manage because:
* You will need automation, control and integration with orchestration tools,
* It is very difficult to automate this to a dynamic environment and
* If you use encryption then you will also need to be able to support network operations         tools, and encryption only gets in the way.

You will also want to manage the non-repudiation or integrity of the services operating. You will need container signing so that you know that the resource you deployed to execute in your environment is the trusted resource you believe it to be. But, the good news is there are sophisticated PKI tools built to solve these dynamic challenges, and they do it very well. In India, with the onset of the pandemic, the shift to the cloud has made PKI a necessity for secure data center operations. If your organization plans on deploying PKI for user authentication, dev ops, document signing, machine identity or IoT use cases, you must start with understanding the need to avoid having to start again after getting half way.


Please enter your comment!
Please enter your name here