How Can I Build an In-House PKI? [NCSC Guidelines]

The importance of digital identities is growing day by day. Identities are being used not only to authenticate individuals, but increasingly to secure communications between machines, connected IoT devices, apps and services. The key to a strong regime for these machine identities is the security of the underlying TLS/SSL certificates. Organizations have two options—either trust a Certificate Authority (CA) or build your own CA.

Building your own CA server and structure comes down to deciding whether you rely on managed Public Key Infrastructure (PKI) services or building your in-house PKI.

Is a PKI what you are looking for?

Before even deciding how to build your PKI, you should consider if you require a PKI for your authentication challenges. Private PKIs are complex to set up and require a constant level of maintenance by skilled practitioners. Alternative methods of authentication which are easier to implement may meet your requirements just as well.

If you own a public facing site, then the best solution is to use a public CA for your certificates. These certificates are globally trusted since they are signed by an established root certificate whose keys are included in the trust stores of all browsers and operating systems.

On the other hand, if your organization has internal systems and devices that are private to the rest of the world, building your in-house PKI is the preferred solution and offers many advantages. In addition, a private PKI may be a better option for authenticating an end entity for a VPN. Finally, a private PKI might be required for technical reasons but also by standards or regulation.

What are the PKI design trade-offs?

According to the National Cyber Security Centre (NCSC), when designing your PKI infrastructure, you will come across certain decisions that would require to trade off certain functions of the system. These trade-offs should be on a risk-based approach and should not impact your security goals. The objective of your PKI is to mitigate all identity related risks to your organization. These trade-offs may include the following areas:

1. Key storage vs certificate lifetime
   Securely storing private keys in Hardware Security Modules (HSMs) or other tamper-resistant locations reduces the likelihood of compromise. Meanwhile, short certificate lifecycles reduce the impact of a compromise.
2. Certificate lifetime vs revocation
   If the certificates and associated private keys have short lifecycles, the attacker has a limited time to leverage a compromised certificate and the impact becomes limited. Another factor to consider is your response time, which closely related to the level of visibility you have on your certificates. Quick reaction and short certificate lifecycles make the impact of a revocation system limited.
3. Recovery time vs availability
   A well-established disaster recovery process will allow you to restore your PKI within acceptable downtime limits.
4. Certificate lifecycle vs CA availability
   If the CA infrastructure is highly available, with minimal downtime, then the organization can regularly and reliably communicate with the CA to renew its certificate, enabling shorter lifecycles.

Which factors should you consider?

When building up your in-house PKI solution, significant additional investment is usually needed in terms of staff and technical resources. The following factors should not be overlooked when making the decision to deploy or not a private PKI.

• Personnel capabilities
  When considering the costs of building your own PKI infrastructure, personnel is often overlooked. You will need additional staff with PKI expertise to build and manage the PKI. In addition, your existing IT teams will have to assume more responsibilities. Do they have the capacity to do so, or do you need to hire more IT staff?
• Scalability
  You should build your PKI structure not only to accommodate today’s needs but also you need to predict future requirements in machine identities. Is your system flexible enough to scale?
• Cost
  The cost for building and maintaining your in-house PKI might become a negative factor. You will need to budget money for hardware and software, licensing, additional personnel, hardened storage facilities, and personnel awareness.
• Capacity
  This is closely related to personnel and the overall resources you have in-house to run the PKI. If you already have the talent and infrastructure available, then you will be able to build a robust and customizable PKI capable of meeting all your needs. But what happens if this capacity is lost or diminished?

What are the foundational principles for building your PKI?

According to NCSC, there are 12 guiding principles every organization needs to adhere to when building their in-house PKI.

1. Understand and have a clear picture of what you are building.
2. Protect your private keys to reduce the likelihood of a compromise.
3. Ensure high availability and resilience of Certificate Authority functions to withstand disruptions and cyber-attacks.
4. Develop a robust certificate provisioning and management procedure to prevent rogue certificates from being issued.
5. Authenticate and authorize all requests to Certificate Authorities for the issuing of new certificates.
6. Keep certificate lifecycles as short as practical to reduce the window of opportunity for an attacker.
7. Segregate intermediate CAs per technology or organization function to reduce the impact of compromise of a single CA and separate duties between each CA.
8. Automate certificate renewal to provide a frictionless experience, enforce security and limit the risk of expired certificate outages.
9. Continuously monitor your PKI environment to gain full visibility and spot any gaps.
10. Keep the root CA offline to prevent adversaries from compromising it and gaining control of the entire PKI, corrupting trust in the entire system.
11. Use current, strong, cryptographic algorithms, and plan for crypto agility.
12. Establish certificate revocation procedures to reduce the impact of a compromised certificate.

Managed SaaS PKI services

If your organization has a clear idea of what it needs and has the budget and resources to accomplish it, then creating your in-house PKI gives you the highest degree of customization and control. However, for most companies the degree of expertise, time, and money required are prohibitive for building their private PKIs. In such a case, managed PKI services, delivered through SaaS solutions are usually the best bet.

Venafi Zero Touch PKI is a fully SaaS-based alternative to creating and running your own internal PKI. It can be configured and managed in any way you need, in conjunction with multiple CAs and with the options you need for security and traceability.    

Venafi Zero Touch PKI gives you complete policy control and delegated administration, automation for mixed IT environments, Active Directory integration, and multiple options for migration of current PKI into new platform. To learn more, contact one of our experts.

Related Posts

• Automate PKI: Considerations for Executives
• How to Securely Integrate PKI into Your CI/CD Pipeline
• Is There a Disconnect Between Your PKI Security and Operations Teams?
• Venafi Zero Touch PKI: Modern PKI Without Any Hassle