Mar 17, 2021, 10:58 AM
Riaan De Villiers
Implementing a PKI project takes a lot of hard work and dedication. Today we will discuss the pitfalls that you can expect to encounter implementing your organisation's own PKI solution.
of implementing a PKI solution
by cottonbro from Pexels.
numerous security and productivity benefits for an organisation to
deploy a Public
Key Infrastructure (PKI) solution.
allow organisations to deploy TLS
certificates that will protect internal and external communications
against tampering and impersonation.
certificates issued by the PKI solution to devices and persons can
grant them seamless authorization to access resources to perform
certificates can be used to sign emails and software developed by
signing documents will allow organisation to digitise
business processes, saving them time and money.
deploying a PKI solution can be a daunting task. The solution
comprises of software, hardware, legal elements, compliance elements
and staff. Bringing all these elements together into a coherent
solution requires hard work.
Today we will look at some of the
pitfalls to watch out for when deploying a PKI solution in your
1. Organisational pitfalls
a PKI solution, it is important to ensure that your organisation is
PKI ready. Let’s start by taking a look at some organisational
1.1 Not establishing a PKI
Staff your PKI
organisation with resources that will support the Policy and
Operations Authority functions such as the Certificate Policy (CP)
and the Certification Practices Statements (CPS) expectations.
should have enough staff so that you can implement dual controls and
segregation of duties. If not implemented, you could have audit
problems in the long run.
Critical to any
PKI implementation is planning, understanding your solution and your
environment will help you avoid issues later during the
deployment. Avoid these pitfalls during your planning phase.
2.1 Not understanding your use cases
Start by clearly defining your PKI
requirements and use cases. A clear understanding of what you will
need from your PKI solution will help you determine the trust level
of the digital certificates you need. It can also help you recognise
if you should deploy your PKI solution in-house or consume it as a
2.2 Not understanding your environment
Can the Certificate Authority (CA)
that you deploy communicate with all areas of the network that
requires digital certificates?
The applications that consumes the
PKI services must be able to communicate with your CA hierarchy to
retrieve certificates and other PKI services.
2.3 Not understanding the entire
certificate life cycle.
deployments do not cater for the entire certificate life cycle i.e.
expiration, revocation and renewal. Depending on the PKI use case,
you must also cater for key archival and retrieval.
2.4 Not involving the operations team
Operating a public trusted PKI will
have an impact on the operations your organisation. Involve the
operations team from the start so that they can assess the impact of
PKI on their daily operations and start to understand the solution.
During implementation, special attention must be paid to the Hardware Security Modules.
3.1 Implement Hardware Security
Due to the
importance of Hardware Security Modules (HSM) they have to be
installed during a witnessed process. Members of the compliance and
audit team must witness the installation and sign off that the
implementation was done correctly. The implementation is known as a
Cryptographic Key Ceremony.
conducting the Cryptographic Key Ceremony adequate planning must take
place and the following documents must be created:
architecture and resilience
certificate names, key sizes, and signing algorithms, etc.
life cycle management automation
practices and targeted assurance levels (i.e. Certificate Policy
(CP) and Certification Practices Statements (CPS)).
Before performing the Key Ceremony,
do a dry run to ensure that everything is working as it should. By
finding all the shortcomings before the Key Ceremony, you will have a
lot less stress during the Ceremony.
Operating a PKI
solution takes dedication. Here is some items that you should not
4.1 Not storing CA cryptographic
Depending on the
PKI use case, consider using Hardware Security Modules with key share
holder segregation. It is best practice to have the Root
Certification Authority and supporting HSM offline.
4.2 Not establishing a
cryptographic centre of excellence CryptoCoE virtual function
CryptoCoE has five building blocks that help achieve crypto and PKI
overall IT security posture by providing ongoing visibility into a
complete cryptographic inventory, expertise and best practices.
The Crypto Health Check team scans an organization's
environment to build a cryptographic inventory and scores it against
cryptography standards and policies. The data analysis is then
turned into an actionable plan with measurable results – arming
security, compliance and risk teams with the insights needed to
mitigate crypto-related threats and bring hidden crypto into view.
an expert-by-your-side to walk your organization through the
essential steps of establishing a governance platform.
PKI Governance Health
an organization’s PKI policy documentation and the different
roles, processes and policies that they outline. Comparing those
policies against best practices, compliance requirements, and
business needs to deliver actionable recommendations to ensure there
are no procedural gaps.
PKI System Health
the status of the technology and software of an organization’s PKI
implementation(s). From looking at the equipment and algorithms in
use, to documenting architecture and providing recommendations - PKI
experts will guide and assist the organisation to ensure their PKI
is able to meet their current and future business requirements.
organizations setting up a new PKI and defines and documents the
policies used to govern their PKI.
Deploying a PKI solution holds many benefits to any organisation. It
takes hard work and dedication to roll out the solution but by
looking out for the above-mentioned pitfalls you can go a long way to
ensure a good experience for the teams responsible for providing the
service and the users.
The experts at LAWtrust have many years experience deploying Public
Key Infrastructure projects. Need actionable advice and
We would like to give a big thank you to all the experts at LAWtrust
that contributed their knowledge and expertise to this article.