DigiCert One 07-30-2020

Perils of DIY Private PKI

Brian Trzupek

Many choose to construct and manage their own Public Key Infrastructures — a DIY PKI if you will. For smaller organizations and internal solutions, a DIY PKI may be manageable. Yet as modern enterprise networks grow and expand into new niche areas of technology, their PKI becomes ever harder to manage.

Understanding what it takes to manage a PKI can help you determine if you want a DIY PKI solution or the help of a commercial CA to manage your private PKI.

DIY PKI challenges

Enterprises often choose DIY PKI to save money, but the time and effort it takes to manage their own PKI can cost more. Furthermore, if PKI is not managed well, then it is robbed of much of its value.

The truth is that DIY PKI often has a hard time dealing with the complex environments that it’s supposed to help with, especially with enterprise networks that are becoming increasingly complex and multifaceted. Organizations face the pressure to provide PKI across hybrid and multi-cloud environments, and to scale with growth in IoT and other devices accessing the network.

PKI requires close attention to stay up to date with industry standards, be compliant and remain in line with hardware and software updates. Since it needs to be managed carefully, managers need to be somewhat of a PKI expert.

Ask yourself the following in considering a DIY PKI:

  • Do you have someone in your organization who knows how to secure private keys with an HSM?
  • Do you have a backup and recovery plan for the PKI keys and systems?
  • As IT infrastructure evolves will your PKI be able to support the latest devices, OSes, use cases?
  • If you are in a compliant industry, you may have audit criteria for your PKI, people, systems and tools. Are you ready for that?
  • Do you understand what the industry may need to interoperate correctly?
  • How many users are you enrolling in your PKI? What is your plan to do so without burying your internal IT staff?
  • How will you scale your usage as you grow?
  • How will you automate to third party systems?

Additionally, the tools that an enterprise might use to build their own PKI — such as Microsoft CA — come with their own weakness. For example, Microsoft CA still has issues with usability, scalability and vulnerabilities. It can be hard to integrate with complex enterprise networks. Microsoft CA also struggles when handling over 40,000 certificates, which may seem like plenty, but each user can require multiple certificates, so in a large enterprise 40,000 is often not enough.

Moving from data centers to the cloud

Enterprises face significant challenges as they move from their own data centers or physical servers and start deploying containers and orchestration environments in the cloud.

For example, where the customer had the ability to use static IP addresses as a form of authentication, in the cloud they cannot. They will need strong authentication that is highly automated to a dynamic environment — an environment where that authentication credential can live for a few moments, a few days or a few years. The old notion of using pre-shared keys for authentication is a security risk and extremely difficult to scale into a dynamic IT environment.

Once you have your systems running in the cloud, you also may not control the network layer, so you will want to add encrypted communications between systems. PKI is a fantastic way to do this; however, this increases the complexity of what you have to manage because:

  • you will need automation, control and integration with orchestration tools,
  • it is very difficult to automate this to a dynamic environment and
  • if you use encryption then you will also need to be able to support network operations tools, and encryption only gets in the way.

You will also want to manage the non-repudiation or integrity of the services operating. You will need container signing so that you know that the resource you deployed to execute in your environment is the trusted resource you believe it to be. But the good news is there are sophisticated PKI tools built to solve these dynamic challenges, and they do it very well.

The shift to the cloud has made PKI a necessity for secure data center operations. If your organization plans on deploying PKI for user authentication, dev ops, document signing, machine identity or IoT use cases, your best step is to start down that understanding the correct information. Then you will not get halfway there and have to start from scratch — as we have seen many times. Let us help you avoid that.

Managed PKI: A modern solution

Enterprises should consider using a private CA, which can provide the automation and scalability that an enterprise ideally wants. Managed PKI is increasingly being adopted around the globe for its simplicity, versatility and flexibility. A new whitepaper from the IDC finds that modern PKI implementation dramatically simplifies management and reduces cost.

The results showed that using a cloud-based platform to govern their PKI, organizations enjoyed a 60 percent increase in the effectiveness of security teams, a 76 percent reduction in unplanned downtime and a 326 percent return on investment over five years.

“DigiCert PKI Platform freed up time to concentrate on the bigger picture. Some employees have been repurposed to focus on our overall larger strategy, which is migrating the majority of our on-premises to the cloud. We were able to dedicate them to the implementation of the cloud structure,” said one interviewee.

The DigiCert ONE option

DigiCert IoT Trust Manager is built on DigiCert® ONE, a PKI management platform architected and released in 2020 to be the PKI infrastructure service for today's modern cloud-native challenges. DigiCert ONE offers multiple management solutions and is designed for all forms of PKI. It is flexible enough to be deployed on-premises, in-country or in the cloud to meet stringent requirements, custom integrations and airgap needs. It also deploys extremely high volumes of certificates quickly using robust and highly scalable infrastructure. DigiCert ONE delivers end-to-end centralized user and device certificate management, a modern approach to PKI. Learn more about DigiCert ONE and see if it’s right for your business.

The digital world is turning into a sprawling mesh of connection points. Learn more about how to unify and simplify your expanding security environment in our new webinar. Register now.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


Pioneering the next wave of secure digital solutions 


4 best practices for bulk email senders



Driving digital trust with SOC 2-compliant DNS

Subscribe to the blog