Guide to modern and future-proof PKI

[3keyroman]

🤷‍♂️ How to build modern and future-proof PKI and trust management? We are launching blog series on this topic, and you can learn and get your hands-on experience on this topic!

In this series of articles, we will focus on how to build a solution for PKI and trust management that complies with the requirements of the modern world. The point is to guide you on how to start from scratch and prepare your own certification authority and automate related procedures.

You can look forward to:
👉 Considerations for building the solution
👉 Typical setup and basic terms
👉 Technology and deployment options
👉 Setting up the EJBCA (and MS ADCS)
👉 Preparing the certification authority
👉 Deploy CZERTAINLY in few minutes
👉 Integration and configuration of the solution
👉 Certificate discovery
👉 RA Profiles and certificate management
👉 Automation and compliance

Stay tuned and follow us if you like it! 🦾

Read more on https://www.czertainly.com/modern-and-future-proof-solution-for-pki-and-trust-management/

[3keyroman]

🔑 Guide to modern PKI: Considerations for building the solution

There are many reasons, why you should properly design PKI. What are the considerations for building the PKI and automation of services?

What should we consider when designing and planning the solution for trust lifecycle management? What important factors can impact the decision and guide you which way to go?

👉 Scoping
👉 Gap analysis
👉 Action plans
👉 Standards and regulations
👉 PKI maturity model
👉 Analysis and design
👉 Implementation

Read more on https://www.czertainly.com/guide-to-modern-pki-considerations-for-building-the-solution/

[3keyroman]

🔑 Guide to modern PKI: Typical setup and basic terms

Let’s look into something more specific. What are the typical components of a modern PKI? What is the typical setup and how to understand the basic terms? Considerations for building the modern and future-proof PKI should give us guidance on what components we need to implement.

👉 Entities relying on trust service
👉 Presentation
👉 Supporting systems
👉 Interfaces and integration
👉 Supporting functions
👉 Trust service lifecycle management
👉 Public key infrastructure core components
👉 Cryptographic keys and secure storage

Read more on https://www.czertainly.com/guide-to-modern-pki-typical-setup-and-basic-terms/

[3keyroman]

🔑 Guide to modern PKI: Technology and deployment options

There are many different technologies out there, and the right choice should be made based on the results from the proper scoping and gap analysis.

Technology is important, you should choose it wisely. But on the other hand, you do not want to be dependent on the it and create a vendor lock. In today’s world, you should count with several technologies that should be part of the PKI and take it into consideration.

👉 Entities
👉 Certification authority
👉 Hardware security module
👉 Database

⚙️ Deployment options:
✅ I do not care, I just want to have it running
✅ I want a simple solution under my control
✅ I want to know details about the solution
✅ Let's dig in to the source code and technology

Read more on https://www.czertainly.com/guide-to-modern-pki-technology-and-deployment-options/

[3keyroman]

🔑 Guide to modern PKI: Database and tooling

Database, persistent storage, tools for management of your infrastructure and deployment automation are important parts of modern PKI. It helps to achieve operational continuity and to have proper control of all changes.

There are plenty of tools available and usually you need to build an inventory that will help you to achieve easy, secure management and maintenance of your PKI.

👉 Persistence of data
👉 Tooling to prepare
👉 Automation and control

Read more on https://www.czertainly.com/guide-to-modern-pki-database-and-tooling/

[3keyroman]

🔑 Guide to modern PKI: Setting up the EJBCA

Certification authority is the heart of the PKI that can issue, renew, and revoke various certificates. In the modern infrastructure, you probably need multiple certification authorities for different purposes, like certificate for web servers, clients, code signing, etc.

This is one of the easiest ways to deploy and use open source EJBCA as your certification authority.

👉 Prerequisites
👉 Prepare database
👉 Create namespace
👉 Install through Helm
👉 Access Admin Web
👉 Advanced configuration

Read more on https://www.czertainly.com/guide-to-modern-pki-setting-up-the-ejbca/

[3keyroman]

🔑 Guide to modern PKI: Preparing the certification authority

For every PKI we need certification authorities that can issue, renew, and revoke certificates. Deployment of the PKI software is the first step towards it.

We will create a simple hierarchy of certification authorities that will issue server and client certificates and use it during the guide.

✅ Modern Root CA – this is the root self-signed trust anchor that will issue only subordinate certification authorities
✅ Modern Server SubCA – subordinate certification authority issuing web server certificates
✅ Modern Client SubCA – subordinate certification authority issuing client certificate to be used for B2B authentication

👉 Prepare Crypto Tokens
👉 Prepare Certificate Profiles
👉 Generate certification authorities
👉 Prepare End Entity Profiles
👉 Start issuing certificates

Read more on https://www.czertainly.com/guide-to-modern-pki-preparing-the-certification-authority/

[3keyroman]

🔑 Guide to modern PKI: Deploy CZERTAINLY in few minutes

CZERTAINLY is a platform for effective and efficient trust lifecycle management for companies of any size and individuals. One of its goals is to provide an easy and affordable way to secure digital communication and support information security in more and more connected world.

The platform seamlessly integrates with various certification authority technologies. Let’s take a look how to quickly deploy CZERTAINLY.

This is the easiest and most convenient approach to prepare solution for automation of certificate management with complete visibility and monitoring.

👉 Prerequisites
👉 Create database
👉 Create namespace
👉 Deploy CZERTAINLY
👉 Access CZERTAINLY
👉 Custom and advanced setup

Read more on https://www.czertainly.com/guide-to-modern-pki-deploy-czertainly-in-few-minutes/

[3keyroman]

🔑 Guide to modern PKI: Integration and configuration

Seamless integration with various technologies should be integral part for any modern infrastructure. It protects us from vendor-lock and gives us freedom in maintenance of the solution.

In this part of the guide to modern PKI, we are going to integrate with EJBCA to discover certificates issued by certification authorities and manage their lifecycle, including, automate certificate distribution, and many more.

👉 Configure EJBCA protocols
👉 Firewall configuration
👉 Enroll RA administrator
👉 Configure CZERTAINLY role
👉 Create SoftKeyStore credential
👉 Create authority instance
👉 Test the integration

Read more on https://www.czertainly.com/guide-to-modern-pki-integration-and-configuration/

[3keyroman]

🔑 Guide to modern PKI: Certificate discovery

Certificate discovery is usually the first step to be performed in order to build the certificate inventory. The purpose of certificate discovery is to search for certificates in various locations and sources like network infrastructure, applications, file system, containers, and many more.

How to create and schedule certificate discovery process? How to keep the certificate inventory current and accurate? How to identify rogue certificates?

👉 Discovery provider
👉 Create certificate discovery
👉 Certificate inventory
👉 Visibility on certificates

Read more on https://www.czertainly.com/guide-to-modern-pki-certificate-discovery/

[3keyroman]

🔑 Guide to modern PKI: RA Profiles and certificate management

Certificate management has many faces. For someone it is about ability to issue and revoke certificate. However, the complete certificate management consists of many operations, including validation of the certificate, compliance status, automation of the certificate distribution and renewal.

Proper certificate management is the prerequisite and initial step towards robust automation of the certificate lifecycle.

👉 What is RA Profile?
👉 Create RA Profile
👉 Certificate management
👉 Issue certificate
👉 Renew certificate
👉 Revoke certificate
👉 Advanced configuration

Read more on https://www.czertainly.com/guide-to-modern-pki-ra-profiles-and-certificate-management/

[3keyroman]

🔑 Guide to modern PKI: Automation and compliance

The future-proof PKI is being dependent on the collaboration, transparency, and effectiveness of the automation of certificate lifecycle (and cryptographic keys).

With the trend of decreasing the validity of certificates and cryptographic keys in time to avoid compromise and breach, it is logical. Having short-lived certificates, we need a proper management and automation to be on the safe side.

Agility is being considered as mandatory. Cryptographic algorithms are evolving and there are variety of them that are considered to be safe or deprecated. In the modern PKI setup, we want to have ability to easily identify non-compliant assets and fix its state.

👉 Automation using standard protocols
👉 Entity provider
👉 Script-based automation
👉 Compliance management
👉 Trust services ecosystem

Read more on https://www.czertainly.com/guide-to-modern-pki-automation-and-compliance/