Guide to modern PKI: Automation and compliance

One of the goals for modern PKI is the complete automation of the lifecycle and proper control on the inventory, including the compliance status of assets.

With the trend of decreasing the validity of certificates and cryptographic keys in time to avoid compromise and breach, it is a logical step. Having short-lived certificates, we need a proper management and automation to be on the safe side.

Agility is being considered as mandatory. Cryptographic algorithms are evolving and there are variety of them that are considered to be safe or deprecated. In the modern PKI setup, we want to have ability to easily identify non-compliant assets and fix its state.

The future -proof PKI is being dependent on the collaboration, transparency, and effectiveness of the automation of certificate lifecycle (and possible also cryptographic keys).

Approach to automation

When it comes to automation of certificate lifecycle, we have the following options:

  • use standardized protocols for automation
  • entity provider-based automation
  • script-based automation

What is the best approach depends on multiple factors and the desired procedure for certificate management. There are no two public key infrastructures with the same approach.

The following is a prioritized approach to consider the automation:

  • Standard protocols

    For most use-cases, automation through standard protocols like ACME, SCEP, EST, CMP, and other, are enough and provide flexibility needed. This should be definitely considered in the first place and should be preferred approach for automation. Using standard protocols does not create any vendor-lock and client implementation are available for the majority of technology.

  • Entity provider

    The entity provider usually implements the interface of the entity for the certificate lifecycle automation when the standard protocols cannot be used. The advantage of entity provider is having the complete information about its locations and entries containing certificates and cryptographic keys in one place, where it can be managed.

  • Script-based automation

    Any scripting tool and language can be used to create custom automation procedures through the API. The scripts can be also used with tools like Ansible and similar. The main drawback of the script-based automation is that you introduce customization to the certificate management procedures that has to be administered and maintained over the time.

Entity provider

Entity Provider helps to integrate literally any technology (open and proprietary) that is not able, not capable, or you do not want to, use standard interfaces and protocols for management and automation of the certificate and cryptographic keys lifecycle.

It provides access to the locations on the remote entities. These entities are the actual end-users of the certificates and cryptographic keys. There may be multiple locations on one entity.

Some examples for the Entity Provider are:

  • management and automation of the SSL Profile certificates for the F5 appliances
  • automatically managing certificates and cryptographic keys stored in the Java keystore
  • automation of certificates for 802.1X network devices

Compliance management

Each certificate and cryptographic key can contain various attributes and can be based on different algorithms. There are also various standards and regulations that require specific behavior of the certificate, for example to be able to react on algorithm deprecation or vulnerabilities.

The compliance checking helps to monitor the compliance status of each certificate that is included in the inventory of the platform.

What's next?

The modern and future-proof PKI needs to be transformed from traditional way of managing certification authorities to more agile and flexible approach supporting various technologies, use-cases, and certificate types. There is no doubt about it!

This series about the guide to modern PKI provides a way how to achieve it with the open-source solutions that has the capability of automation. The control on the certificate and cryptographic key inventory is very important to avoid any negative publicity.

Give it a try and get your hands-on experience on how to achieve modern and future-proof PKI now!

Get more information about the CZERTAINLY

CZERTAINLY is an open-source platform for effective and efficient certificate lifecycle management for companies of any size and individuals. One of its goals is to provide an easy and affordable way to secure digital communication and support information security in more and more connected world.

Need Help

Do not hesitate to get in touch with us!