PKI FAQ

Public Key Infrastructure (PKI) is a system of processes, technologies, and policies that allows you to encrypt and/or sign data. With PKI, you can issue digital certificates that authenticate the identity of users, devices, or services. These certificates work for both public web pages and private internal services (e.g., to authenticate devices connecting with your VPN, Wiki, Wi-Fi, etc.)

With Public Key Infrastructure (PKI), you can significantly increase the security level of your network. Three key benefits make this possible:

• Authentication: Validate identities to ensure only authorized users and devices have access to a server.
• Encryption: Use a certificate to create an encrypted session, so information can be transmitted privately.
• Data Integrity: Ensure any messages or data transferred to and from devices and servers are not altered.

Common use cases for PKI include, but are not limited to:

• Securing web pages
• Encrypting files
• Authenticating and encrypting email messages using S/MIME
• Authenticating nodes connecting to a wireless network
• Authenticating connections to your VPN
• Authenticating connections to sites and services containing corporate data using TLS mutual authentication

End-to-end encryption is when a message is encrypted at your device, and the decryption is done at the recipient’s device. This means that no third party can intercept your sensitive data.

A Certificate Authority (CA) is a trusted third party that verifies the identity of an organization applying for a digital certificate. After verifying the organization’s identity, the CA issues a certificate and binds the organization’s identity to a public key. A digital certificate can be trusted because it is chained to the CAs root certificate.

A digital certificate vouches for the holder’s identity. Like a driver’s license, the certificate has been issued by a trusted third party, cannot be forged, and contains identifying information.

Public and private keys are used to encrypt and decrypt information. Only the private key can decrypt information encrypted by the public key. This key pair is known as asymmetric cryptography (because the encryption is done using non-identical keys). The two keys are mathematically related, but it’s impossible to determine one key using the other.

A root certificate provides the signature when binding an identity to the public key. This is how you identify whether a certificate is valid, and whether you should trust it.

The short answer is, yes. DigiCert offers solutions for both public and private PKI, along with a platform and RESTful API, which allow you to automate certificate management and customize PKI workflows.

You may have only worked with a commercial CA to purchase public SSL certificates. With this as your only reference point, you might assume private certificates have similar costs as public certificates—this isn’t the case. Issuing a private digital certificate with DigiCert is a fraction of the cost of a public certificate.

Security engineers and administrators sometimes mistakenly think a hosted private PKI will limit them to certain certificate profiles. They think they’ll only have access to certificate profiles that are approved by the CA/Browser Forum. However, DigiCert can provide you with any certificate profile you need. These certificate profiles don’t have to be SSL/TLS certificate profiles—they don’t even have to be X.509.

Managed PKI (MPKI) is a solution provided by a CA that allows you to begin automating certificate processes and customizing PKI workflows. Once your organization gets to the point that it requires a high volume of certificates, you’ll benefit from an MPKI solution that simplifies certificate management.

You can secure your internal services (e.g., VPN, WiFi, Wiki, etc.) using an internal CA. Organizations commonly do this using Microsoft CA. However, building and maintaining an internal CA can be expensive and time-consuming. You’ll want to carefully consider the costs of each before deciding. Many CAs provide hosted solutions that can save you from some of the hardware, software, and personnel costs involved in building an internal PKI.

A Certificate Policy (CP) is a document created to identify the different actors of a PKI and their roles and duties. The CP specifies practices like how certificates can be used, how certificate names are to be chosen, how keys are to be generated, and much more. The associated CP is typically specified in a field of the X.509 certificate.

For in-depth information on CP, see the most up-to-date reference document (RFC 3647): https://tools.ietf.org/html/rfc3647

Key storage, often referred to as key archival, is securely storing the private key in case it’s lost. To meet FIPS compliance, and ensure the highest level of security, we suggest storing your keys using a Hardware Security Module (HSM).

An HSM is a cryptographic hardware-based option for secure key storage. Typically, HSMS are physically located on-premises, and require internal resources to maintain. This can be cost intensive, but less expensive options do exist. For example, the Microsoft Azure Key Vault provides secure storage of keys in Microsoft’s cloud HSM. If you’re a smaller organization, or don’t have the resources to purchase and maintain your own HSM, Microsoft Azure Key Vault is a viable solution. Some public CAs, including DigiCert, offer integrations with Microsoft Azure.

To get started, you’ll need to evaluate your environment by considering your needs and the technology you’re working with. We suggest these five steps to get started:

1. Identify your non-negotiable network security risks
2. Pinpoint the network security risks PKI can mitigate
3. Develop the right mix of public and private PKI
4. Decide whether to build (internal CA) or buy (hosted CA)
5. Determine how to automate delivery of certificates to devices

If you need help, contact one of our PKI architects by sending an email to enterprise@digicert.com.