As defined in Wikipedia, a public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store & revoke digital certificates and manage public-key encryption.
Hence, PKI is not just the software which is a misconception of most people when it comes to understanding the real pain behind a PKI system.
With the experience that we had implementing PKI system for all types of end customers ranging from the public sector to private sector, we had compiled 5 key points for you to understand better of what PKI actually is and how does it really work.
The core is always the Certificate Authority
The Certificate Authority (CA) is a component in the PKI system which is responsible for issuing digital certificates
Without the existence of the CA, a PKI system can never exist.
Being the core of the PKI system, it deserves to get all kinds of security certifications to ensure that the core is precisely secured.
The CA should mainly function to issue a self-signed certificate, issue to another subordinate CA, certificate revocation list (CRL) and countless type, of end entity certificates such as people, mobile phones, networking devices, you name it.
Therefore, since the CA is the core to a PKI system, some PKI owners can literally survive with just the CA component under a very controlled environment.
But the Asset, is the HSM.
Although the CA is the core of the PKI system, it may not be the critical asset that you need to protect.
PKI is a system that utilizes Asymmetric Algorithm where each entity of this system consists of a pair of public key and private key. This goes the same for each correspondence CA as well.
Each entity will be responsible for safeguarding its own private key and as for the case of the CA, the private key will be stored inside a highly secured container called Hardware Security Module (HSM).
Compromising the CA keys in the HSM is as good as compromising the entire PKI system but compromising the CA software may not compromise the entire PKI system.
This further shows that the key asset that every PKI owner tried to protect here is always the HSM device.
Everything is based on open standards
Most of the PKI components especially the CA is built on top of open standards.
Often, the open standard that the CA system is built on top is the RFC standard.
For a well-built CA system, it shall compliant to several RFC standards such as:
- RFC 5280 – Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, replaces RFC 3280
- RFC 2253 – Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names
- RFC 2560 – X.509 Internet Public Key Infrastructure Online Certificate Status Protocol (OCSP)
Above are just some examples where a matured CA system that is used by any governmental sector and big public sector can easily compliant with more than 10 RFC standards.
These standards do not just stop at the time it is released.
The standards had been evolving from time to time to ensure that it has the best of the best practice for PKI owners to know.
Only 30% of PKI belongs to software
We always tell our prospects and customers that PKI system is not just about the software.
A common misunderstanding is that people that buy the software did not expect that there is much more work to do in order to run the PKI system.
The remaining 70% of the PKI system goes to operations and documentation.
Some of the notable examples are certificates that has validity periods, and in the event where a renewal is needed, operations work will come in.
This goes as well to certificate lost or compromise which will need to update to the CA system to formally revoke the certificate. This is part of operations as well.
As for documentation, there is policies and procedures document which is quite lengthy that needs to be created and maintained.