Sergey Nivens - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Internal PKI: What are the benefits of enterprises moving it in-house?

Many large enterprises have their own internal public key infrastructure. Expert Michael Cobb explains the considerations organizations should make before undertaking the task.

My organization is exploring the idea of implementing our own public key infrastructure. What are the benefits...

of having our own internal PKI -- especially in terms of costs and management?

It's quite common for large enterprises to run their own public key infrastructure (PKI), acting as an internal certificate authority (CA) and installing their own root certificate in the trust stores of all the company's devices. The main benefit of having internal PKI is that internal services can be configured to only accept certificates from the enterprise's own CA chain, in theory making it harder for hackers to impersonate genuine users. Digital certificates are a vital part of PKI security technologies like signed and encrypted email, signed documents, VPN access and SSL authentication because they provide a means to establish the ownership of an encryption key. The other benefit is that self-issued certificates are free, and that it's a solution that scales well. However, reality is somewhat different.

Microsoft Certificate Services, for example, provides all the software and programs needed to run an internal PKI, and is included with Windows enterprise servers. The root certificate can also be distributed to all domain-connected objects based on group policies. However, adding it to the trusted store of every version of every app on every machine is a lot more challenging. The certificates themselves may be free, but the resources required to securely manage internal PKI have to be factored into the overall cost. Not that many enterprises have internal IT staff who are qualified and capable of properly managing and securing a PKI in accordance with standards like CA/Browser Forum Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates, or the Mozilla CA Certificate Policy.

The security and integrity of the root signing keys are critical and require physical as well as logical security controls to be deployed. The mission-critical nature of a PKI means enterprises must be able to provide a constant quality of service, and perform specialist tasks required in certificate lifecycle management and validation services, such as renewing certificates, maintaining and updating certificate revocation lists and running online certificate status protocol services.

Before deciding to implement internal PKI, carefully weigh the costs of the necessary hardware, staff and infrastructure against the costs of outsourcing. An in-house CA is only really useful for internal corporate use, as its certificates won't be trusted by devices and services outside of the organization. Internet-facing servers will still need a certificate from a publicly recognized CA. Most public CAs specializing in outsourcing now offer Active Directory integration and cost-effective certificate options for internal purposes, eliminating the hassle of managing an internal CA, while offering technical expertise and the latest in security technologies.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Find out how to address challenges in AWS Active Directory integration

Read about the fragmentation of common PKI approaches

Learn if the eDellRoot certificate vulnerability points to a larger problem

This was last published in September 2016

Dig Deeper on PKI and digital certificates