Pitfalls of implementing a PKI solution

Mar 17, 2021, 10:58 AM by Riaan De Villiers
Implementing a PKI project takes a lot of hard work and dedication. Today we will discuss the pitfalls that you can expect to encounter implementing your organisation's own PKI solution.

Pitfalls of implementing a PKI solution

Implementing PKI projects

Photo by cottonbro from Pexels.

There are numerous security and productivity benefits for an organisation to deploy a Public Key Infrastructure (PKI) solution.

  • PKI can allow organisations to deploy TLS certificates that will protect internal and external communications against tampering and impersonation.

  • Digital certificates issued by the PKI solution to devices and persons can grant them seamless authorization to access resources to perform their duties.

  • Digital certificates can be used to sign emails and software developed by the organisation.

  • Digitally signing documents will allow organisation to digitise business processes, saving them time and money.

However, deploying a PKI solution can be a daunting task. The solution comprises of software, hardware, legal elements, compliance elements and staff. Bringing all these elements together into a coherent solution requires hard work.

Today we will look at some of the pitfalls to watch out for when deploying a PKI solution in your organisation.

1. Organisational pitfalls

Before deploying a PKI solution, it is important to ensure that your organisation is PKI ready. Let’s start by taking a look at some organisational pitfalls.

1.1 Not establishing a PKI organisation

Staff your PKI organisation with resources that will support the Policy and Operations Authority functions such as the Certificate Policy (CP) and the Certification Practices Statements (CPS) expectations.

Furthermore, you should have enough staff so that you can implement dual controls and segregation of duties. If not implemented, you could have audit problems in the long run.

2. Planning

Critical to any PKI implementation is planning, understanding your solution and your environment will help you avoid issues later during the deployment. Avoid these pitfalls during your planning phase.

2.1 Not understanding your use cases

Start by clearly defining your PKI requirements and use cases. A clear understanding of what you will need from your PKI solution will help you determine the trust level of the digital certificates you need. It can also help you recognise if you should deploy your PKI solution in-house or consume it as a service.

2.2 Not understanding your environment

Can the Certificate Authority (CA) that you deploy communicate with all areas of the network that requires digital certificates?

The applications that consumes the PKI services must be able to communicate with your CA hierarchy to retrieve certificates and other PKI services.

2.3 Not understanding the entire certificate life cycle.

Often PKI deployments do not cater for the entire certificate life cycle i.e. expiration, revocation and renewal. Depending on the PKI use case, you must also cater for key archival and retrieval.

2.4 Not involving the operations team

Operating a public trusted PKI will have an impact on the operations your organisation. Involve the operations team from the start so that they can assess the impact of PKI on their daily operations and start to understand the solution.

3. Implementation

During implementation, special attention must be paid to the Hardware Security Modules.

3.1 Implement Hardware Security Modules

Due to the importance of Hardware Security Modules (HSM) they have to be installed during a witnessed process. Members of the compliance and audit team must witness the installation and sign off that the implementation was done correctly. The implementation is known as a Cryptographic Key Ceremony.

Prior to conducting the Cryptographic Key Ceremony adequate planning must take place and the following documents must be created:

  • CA Hierarchy architecture and resilience

  • CA naming convention

  • CA certificate names, key sizes, and signing algorithms, etc.

  • Validation practices

  • Certificate life cycle management automation

  • Policies and practices and targeted assurance levels (i.e. Certificate Policy (CP) and Certification Practices Statements (CPS)).

Before performing the Key Ceremony, do a dry run to ensure that everything is working as it should. By finding all the shortcomings before the Key Ceremony, you will have a lot less stress during the Ceremony.

4. Operations

Operating a PKI solution takes dedication. Here is some items that you should not forget about.

4.1 Not storing CA cryptographic keys securely

Depending on the PKI use case, consider using Hardware Security Modules with key share holder segregation. It is best practice to have the Root Certification Authority and supporting HSM offline.

4.2 Not establishing a cryptographic centre of excellence CryptoCoE virtual function

The CryptoCoE has five building blocks that help achieve crypto and PKI excellence:

  1. Crypto Health Check improves overall IT security posture by providing ongoing visibility into a complete cryptographic inventory, expertise and best practices.

    The Crypto Health Check team scans an organization's environment to build a cryptographic inventory and scores it against cryptography standards and policies. The data analysis is then turned into an actionable plan with measurable results – arming security, compliance and risk teams with the insights needed to mitigate crypto-related threats and bring hidden crypto into view.

  2. Crypto Governance Consulting places an expert-by-your-side to walk your organization through the essential steps of establishing a governance platform.

  3. PKI Governance Health Check reviews an organization’s PKI policy documentation and the different roles, processes and policies that they outline. Comparing those policies against best practices, compliance requirements, and business needs to deliver actionable recommendations to ensure there are no procedural gaps.

  4. PKI System Health Check assesses the status of the technology and software of an organization’s PKI implementation(s). From looking at the equipment and algorithms in use, to documenting architecture and providing recommendations - PKI experts will guide and assist the organisation to ensure their PKI is able to meet their current and future business requirements.

  5. PKI Governance Consulting assists organizations setting up a new PKI and defines and documents the policies used to govern their PKI.

Deploying a PKI solution holds many benefits to any organisation. It takes hard work and dedication to roll out the solution but by looking out for the above-mentioned pitfalls you can go a long way to ensure a good experience for the teams responsible for providing the service and the users.

The experts at LAWtrust have many years experience deploying Public Key Infrastructure projects. Need actionable advice and recommendations? Contact LAWtrust today.

We would like to give a big thank you to all the experts at LAWtrust that contributed their knowledge and expertise to this article.