For more information and reference to all parts of the series, visit Modern and future-proof solution for PKI and trust management.
What are the considerations for building the PKI and automation of trust services? This is the question we should ask, and we should have answer for before we start implementing any solution. However, we all know that the practice is somehow different.
In many implementations, the PKI is purpose-built, with the focus on the specific use-case and speed of implementation, because “we need to have it as soon as possible”. Using this approach, it is sure that you will end up after some time with inconsistent infrastructure and you will start experiencing issues related to PKI.
There are many reasons, why you should properly design the PKI before starting the implementation, some of them are:
- insufficient initial planning leads to non-compliant setup
- lack of knowledge during building of the infrastructure cannot be reverted
- technology is advancing, need to support new interfaces and features
- ease of operation and administration
- different lifecycle and end of support of PKI components (usually less than the validity of certification authorities)
- avoidance of vendor-lock
Let’s talk about how we can prepare for the modern and future-proof PKI that will help us to achieve our goals and support security and trustworthiness of the use-cases.
Standard methodology for the PKI implementation.
First and the most important is to know what we are planning to do. This will be the scope of the PKI and we will focus on implementation that will support our scope.
We should collect inputs from various parties and stakeholders. There are various reasons why we need to issue certificates and there are many different use-cases that require different certificate attributes and validity restrictions.
We need to find answers for the questions:
- What are our use-cases for issuing and managing certificates?
- Who is the stakeholder of each use-case?
- Where should be certificates used, who is the end user of the certificate?
- Who will need to validate the certificate?
- Do we need to comply with internal or external standards or regulations for managing digital certificates?
The answers will help you to identify boundaries of the PKI services that should be implemented. Once you have the scope, we can start building our requirements and design the PKI solution.
What should we consider?
Good source of information are standards, regulations, and security frameworks, where you can find and learn from the people that has long-term experience with building and operating various type of PKI. Some worth to mention:
- eIDAS regulation
- CA/Browser Forum WebTrust
- ETSI standards for issuing certificates
- Common Criteria protection profiles
- NIST special publications
- ISO standards
- RFC publications
Good starting point is trying to find the inspiration and ideas in the implementation that are already working. Try to find and read Certificate Policy and Certification Practice Statement from some of your favourite trust service provider. You may find interesting information.
PKI Maturity Model
The PKI Maturity Model helps to evaluate PKI implementations and guides improvement to overall maturity and trust. It is recommended to use it as a reference model when designing the PKI.
The PKI Maturity Model is a technologically independent model that evaluates aspects of and activities related to the PKI (people, process, technology) according to specific modules and categories.
The PKI Maturity Model categories gives us a broad overview of what we should consider during designing the modern and future-proof PKI, for example (for the full description of each category, see Categories Maturity Evaluation):
- Strategy and vision
- Policies and documentation
- Processes and procedures
- Key Management
- Certificate Management
- Infrastructure Management
- Change Management and Agility
- Knowledge and Training
- Monitoring and Auditing
- Certificate discovery
Analyze and design
Good design requires proper analysis to be performed. When the scope and requirements are known, you can apply the approach of gap analysis.
Gap analysis provides comprehensive view on all components in scope that should comply and identifies gap or non-conformities that should be resolved. Each individual requirement can be considered and evaluated for the implementation.
After gap analysis, action plans are defined to provide corrections and corrective actions to ensure compliance for all identified gaps. When building a PKI from scratch, this will represent the project plan for the implementation.
Action plans help to establish the indicative costs necessary to implement the PKI.
In the next articles, we are going to look into the sample building block and demonstrate implementation of the modern and future-proof PKI.
Get more information about the CZERTAINLY
CZERTAINLY is an open-source platform for effective and efficient certificate lifecycle management for companies of any size and individuals. One of its goals is to provide an easy and affordable way to secure digital communication and support information security in more and more connected world.
Do not hesitate to get in touch with us!