Skip to main content
banner image
venafi logo

Bulletproof PKI: Can You Pass the Quality Test?

Bulletproof PKI: Can You Pass the Quality Test?

PKI best practices
September 15, 2020 | Mark Miller

Is your PKI bulletproof? How can you be sure? There is a lot more to PKI than most people realize. Even security conscious companies usually find themselves lacking some of the following check boxes that ensure they can pass the quality test.

Here are some questions to ask your organizations to see how bulletproof your PKI really is. If you can’t check these 6 areas, your Machine Identity Management has some quality concerns.

1. Consumer Education

Questions to ask:

  • Do the appropriate end users understand certificate warnings or are the untrusted machine identities blocked?
  • Do your administrators understand the basics parts of certificates and keys?
  • Are strong documentation and other training materials available to users?

What to watch for:
Uneducated end users may click past a certificate warning because they want to do their job—only to find that they have been phished. We know this is the most likely entry point into any organization. Despite all the security software you can implement, if your users get phished, then all the access that they have, the bad guys may also have access to.

Uneducated administrators may also fall victim. Passing private keys around via email or to a third-party organization can undermine the entire security of PKI. Another potentially hazardous activity is taking shortcuts with wild card certificates or self-signed certificates—this type of behavior may also create a mess for you soon that will complicate the lifecycle of your PKI.

2. Enforceable Policy

Questions to ask:

  • Are users blocked from getting certificates they should not be asking for?
  • Do users need to have someone ‘sign-off’ of their requests?
  • Do you restrict which Certificate Authorities (CAs) are allowed to be used?
  • Is key strength and validity set and locked?

What to watch for:
Enforcing policy for users can protect them from costly mistakes and helps answer difficult Auditing questions. This also streamlines getting work done as policies can auto populate critical fields in the Certificate Signing Request (CSR) to eliminate questions on what is or is not allowed throughout your organization.


3. Notification and Escalation

Questions to ask:

  • Has a private key been download when perhaps it should not be?
  • Is there a certificate or key in danger of expiring and the app owner has not acted on?
  • Did a leaf certificate change unexpectedly?
  • Is a root certificate expiring soon?

What to watch for:
Notifications that alert you to what is going on with your organization’s certificates may save you the stress of just hoping things are going okay. With proper notifications set up, you can be told as often as you like specific details about the health of your PKI inventory. Your Machine Identity Management should automatically alert you about things you need to know without your having to embark on a long investigative search.


4. Automation or DevOps Integration

Questions to ask:

  • Do your Machine Identities rotate themselves?
  • Do they have what it takes to automatically complete their refresh?
  • Do you have a built-in solution to deliver the full certificate lifecycle?

What to watch for:
Automation is a big word that entails a lot of complexities. It makes you faster. It also makes you smarter, so you can expand and keep up with the growth of your business. Having built-in drivers for full automation or having the ability to integrate into special systems yourself lets you scale at speed, while staying safe and secure.


5. Audit Capabilities

Questions to ask:

  • Can you tell your auditors who has access to your private keys?
  • Are you made aware if a machine identity changes on any endpoint?
  • Can you prove you are complying with mandates today?

What to watch for:
Imagine your auditor asking you to show the key strengths or algorithms in use across your organization. Imagine them wanting you to demonstrate who has access to that Wild Card certificate that has been passed around by email or network share, let alone demonstrating all the locations it is used.

Notifications, logging, permissions and enforced policy help you prove at the drop of a hat, where you sit with compliance. Working with your auditors to demonstrate a bullet proof PKI should be and can be simple. Run reports, and with numbers or graphs, you can quickly demonstrate that you are a world class PKI shop.

6. CA Agility

Questions to ask:

  • Do you actively choose who you trust or whom you want to do business with?
  • Can you recover quickly from a CA or root certificate vulnerability?
  • How quickly can you adapt to the changing tide of who your root of trust is—or evolving CA capabilities?

What to watch for:
There are so many Certificate Authorities (CAs) out there and business is not stale as the demand for CAs constantly ebbs and flows. Between one company merging with another, discovered vulnerabilities or the capabilities changing, you should have the ability to update the bulk of your certificates and keys without it being a multiyear job. Your Machine Identity Management strategy—be it manual or automated—should let you adjust quickly to changes. When a machine needs to adapt, you should be able to accommodate immediately.


What comes next

When you have effectively addressed these 6 categories, your PKI becomes bullet proof. Your Machine Identity Management becomes robust enough to uphold and support your organization’s growth at speed—instead of being a bottleneck of confusion and contention. There is no platform trusted more, is more proven, or has as many enterprises relying on its developed expertise as The Venafi Trust Protection Platform. Let’s face it. It’s simply the best way to cover your unique uses cases and bulletproof your PKI.

Related posts


Like this blog? We think you will love this.
image representing big data
Featured Blog

Le chiffrement homomorphe : Définition et utilisation

Qu'est-ce que le chiffrement homomorphe ? Le

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Mark Miller
Mark Miller

Mark Miller is Senior Director, Enterprise Security Support, at Venafi, where he works with hundreds of the world’s largest companies to develop and implement strong, resilient cybersecurity strategies across a constantly evolving set of interlocking technologies. Mark has focused on building and leading strong teams to solve difficult product issues.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more