Planning A Cloud PKI Infrastructure – Best Practices

Public Key Infrastructure (PKI) is a time-tested and proven security tool in the enterprise, recognized by all IT and security leaders. It is an essential part of any organization’s security. Many PKI deployments are still supporting several applications for business, despite being more than a decade old.

However, the digital landscape has changed. The challenges, standards, set of use cases related to PKI are no longer the same. Today organizations face different challenges while using PKI.

Modern computing infrastructure, devices, and distributed workforce require an advanced level of security against constantly developing threats. This forces organizations to reconsider their security perspectives and stop potential vulnerabilities and meet the ever-growing compliance objectives.

PKI deployments have expanded and evolved in a big way to protect more business-critical applications than ever before. It has emerged as a very secure and cost-effective technology to warrant new initiatives from the cloud to the IoT.

pki planning

PKI Best Practices

Today, organizations and businesses face new uncertainties. The huge growth in network scale and complexities demand a next-gen PKI. The number of digital certificate usage across businesses has broken barriers. With it, the demand for integrating several tools and applications like SIEM, ITSM, key vaults, secret management, and PAM solutions has also increased.

To support this new environment, IT and security engineers need to re-engineer the aging and disjointed PKI environment, and the certificates issued from them.

“Organizations are expanding the use of PKI within IoT and DevOps pipelines. Technical professionals need to transform the perception – and the deployment – of PKI to establish an automated management regime for PKI.”

Gartner, The Resurgence of PKI in Certificate Management, the IoT and DevOps

Planning a Cloud PKI Infrastructure?

This article will discuss how the role of PKI in the enterprise has evolved and also the challenges and new risks in keeping it secure and running it effectively. It will discover best practices to identify these new challenges, address them, and take appropriate actions to adopt the next generation of PKI that will support your business needs today and tomorrow.

Digital Transformation Of Modern PKI Use Cases

how pki works

PKI has been on the scene for a long time. Most PKI implementations are more than a decade in existence and support several applications across the business. However, the earlier PKI deployment meant a different set of challenges, standards, and use cases than what enterprises face at present.


PKI has emerged as the core technology to secure applications at the forefront of digital transformation. It is no longer a complex tool used for niche cases like network authentication and web servers.

Cloud/Multi-Cloud Certificate Management: To ensure that the applications are running smoothly, a centralized certificate management solution is used to manage all the certificates automatically in both the cloud and the entire enterprise environment. The certificates protect the applications that are hosted in the cloud. Implement a Cloud PKI on any of the cloud platforms (Azure, AWS or GCP)

Zero-Trust Security: Key pairs and PKI certificates make digital identity verification strong and ensure secure connections between entities beyond the firewall network architecture to ensure zero-trust security compliance.

Web and Application Servers: Enterprises are needed to implement an advanced level of encryption and authentication across all applications and websites in their environment (cloud and on-premises) and beyond the firewall. To achieve a trusted client-server authentication, TLS/SSL certificate is used to encrypt communication over the internet.

DevOps Containers and Code: The team of software engineers in an organization incorporates compliant certificate processes into the regular workflow with high-volume, short lifespan SSL certificates and code signing certificates to secure the integrity of the containers, the production applications that use them, and the code they run.

Internet of Things (IoT) Devices: To securely build and manage the IoT environment, it is essential to have a strong identity authentication and remote security implementation to all connected devices.

Devices are internet operators, and they require digital IDs to operate safely. Additionally, the rapid advancement of IoT technology has boosted demand for internet of things public key infrastructure (IoT PKI) as businesses need to design their business models to stay secure and competitive.

Steps To Building A Scalable Cloud PKI - Best Practices

pki best practice

With time, PKI has evolved, demanding a new set of best practices. Businesses are becoming more dependent on their PKI to guarantee trust as more strict data security guidelines come into the forefront. Building a scalable PKI requires significant investment in personnel, infrastructure, and ongoing operational support. However, the result of building a robust PKI is worth the effort.

Understand The Use Cases

One of the most common faults that are made before any PKI project leaves the ground is the lack of understanding of the design. Many times what looks simple on paper is a different ball game in practice. The architecture of the PKI that fits the business needs and the environment must be verified before getting started.

Start with proper understanding and documenting the intended use cases for the PKI. Remember the entire steps of the project will depend on how well the basic knowledge is acquired. An incomplete inventory will create more tasks to refine shortcomings, and it might result in a PKI that cannot support growth without a complete re-haul.

Hence, understanding the needs upfront and structuring your PKI accordingly to align with the settings will prevent irreversible post-production concerns.

Define Policies And Practices

It is seen that most organizations implement a PKI quickly to address a particular project requirement without consideration for policies and practices. However, PKI has a well-defined structure for policy and practices that is laid down in the form of Certificate Policy and Certificate Practise Statements (CP/CPS).

You may or may not draft a CP/CPS, but your ecosystem will benefit from a high assurance level with the implementation of these certificates. Not every enterprise needs a CP/CPS, but the best managed and secured PKIs do.

Once use cases have been documented, your CP/CPS will help you through the implementing process of PKIs. It has to be kept in mind that CP/CPS have value only if they represent the organization’s particular PKI requirement and operational process.

Root Signing Ceremony

Building the root CA ( root signing ceremony) is related to creating a “master key” to the organization’s network and should be handled sensibly. The configuration and building of the root CA should be properly scripted in a controlled ecosystem. Based on the assurance level required for the PKI, the signing ceremony will range from an informal execution of a script (low assurance) to a formal recorded event at a pre-authorized location (high assurance).

Root CA is a security measure that you have control over from the start. At this point, you will have to decide if a hardware security model(HSM) is required for your certificate authorities. While HSM can be implemented later, they offer limited protection in comparison to building them from the start.

Build And Configure Infrastructure

With the completion of the root ceremony, it is time to build and configure the infrastructure and the secondary PKI servers. Ensure that a complete set of build documents and configuration processes are set to align the infrastructure with the CP/CPS established earlier and gaps are identified.

Get the plan reviewed by other PKI-dependent teams to ensure that nothing is missed. Make sure that all the PKI components are properly tested before placing the PKI into production. Ensure the certificates that you intend to support across various applications and platforms are thoroughly tested.

You should consider how your PKI-issued certificates will be managed throughout their life-cycle. Do not forget about Disaster Recovery (DR). Organizations running their own PKI usually never do end-to-end DR testing.

DR testing is different from re-installing a certificate or testing a CA or root recovery. For disaster testing to be effective, understand what is necessary to rebuild an entire PKI ecosystem, including issuing CAs, the root CAs, validation schemes, and OCSP or CRL.

Move PKI From Test To Production

While moving a PKI from test to production, ensure that all its components are properly operationalized. Like all similar assets of this time, when it moves into being a part of the corporate infrastructure, there is no longer a project team that is accountable for the upkeep and maintenance.

A PKI to remain functional needs a significant amount of care and feeding. It can be dangerous if the security team is only concerned about implementing the PKIs and not its ongoing operations. A habitual stumbling point is forgetting about CRL intervals. Most of the time, the certificates become unusable because the team had forgotten to publish the CRL.

An essential component to PKI operations involves incorporating, explaining, and document changing. This is also known as change controls. Compensating controls are another important element that is an additional security measure. It is designed to incorporate security into a complex ecosystem like PKI.

Continuous Test, Review, And Audit

After the controls have been operationalized and documented, it is necessary to review and test them regularly. This is considered to be a part of the internal audit. It should include everything listed in DR plans, CP/CPS, and business continuity for all PKI components.

If there is a need for change, start a change control to update any of the documents. Organizations that conduct their internal audits regularly are able to identify the problems easily and answer external auditor questions with proof.

PKI owners should also monitor their PKI controls against current and emerging standards, including WebTrust, CA/Browser Forum, and industry statutory agencies. This helps the organization to stay ahead of trends that could otherwise lead to PKI weaknesses.

Organizing an annual PKI health check to uncover anything that the organization may not have considered is also a best practice.

Are You Re-Thinking Your PKI?

PKI has long been a notable internet security standard. It has all the characteristics required to provide the highest degree of security and trust demanded by today’s Internet of Things (IoT) implementation. It offers well-proven and robust protection through authentication and encryption to validate data integrity.


PKI is a set of software, hardware, procedures, and policies for creating, distributing, managing, and updating digital certificates over time. It is the backbone of enterprise IT. However, the role of public key infrastructure has changed a lot. It is no longer considered as a deep-weeds technology that handles a limited use case.


PKI is now emerging as the central requirement to support digital transformation. Keeping it up and running can be a challenging task for organizations. Add to it new integrations.


Executing a new PKI does require a significant investment of resources and time to get it right. 

Avatar for Hitesh Jethva
Hitesh Jethva

I am a fan of open source technology and have more than 10 years of experience working with Linux and Open Source technologies. I am one of the Linux technical writers for Cloud Infrastructure Services.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x