Enterprise Public Key Infrastructure (PKI): Public CA vs. Private CA
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Enterprise Public Key Infrastructure (PKI): Public CA vs. Private CA

For Enterprise Companies with large web infrastructures, sometimes it’s better to go with your own PKI

A lot of enterprise companies have massive digital footprints that require special attention to maintain and update. These challenges are different than what individual site owners or even small-and-medium size businesses (SMBs) are contending with. Take for instance a company like Procter and Gamble, not only is it managing its own website, it’s managing myriad brand websites, as well as internal networks for its employees to work and communicate with, not to mention with the advent of the Internet of Things, they’re now dealing with connected devices like cell phones and tablets, in addition to all of its employees’ PCs.

That’s a massive digital footprint that requires a ton of effort to secure.

In a case like this, you’re going to need to rely on PKI to help secure everything.

What Is PKI?

Public Key Infrastructure is basically a framework for the management, distribution, use, storage, and revocation of trusted digital certificates. PKI binds public keys with their respective identities. Most people know about PKI from SSL certificates, but PKI has been securing web pages, encrypting files and authenticating and encrypting email messages for a long time.

I realize that definition may be a little confusing so let’s hash it out a bit more.

You start in this example with a Root certificate or at least an intermediate that chains back to a root. Every certificate that’s issued will be signed by that root. This allows for each issued certificate to be authenticated. Since every certificate is bound to an identity and signed by a trusted root, it makes it easy to verify that a public key belongs to a specific entity. We’re skipping validation in this example because most enterprise companies can issue their own certificates after undergoing business authentication a single time.

Should I Choose a Public Root or a Private Root?

There are advantages and drawbacks to each approach. If you’re securing a domain that can be accessed by the public it’s better to have a public root, given that the majority of browsers will already have that root in their trust store and it will make authentication easier. Additionally, most public CAs already have a PKI in place that can scale as needed.

A private root, which is one of the first steps to a Private CA, affords you the ability to issue self-signed digital certificates. The drawback is that it can be cost-prohibitive, and you’ll have to add your private root to your company’s browsers. Also, remember if this is a public-facing domain, its root will not be in visitors’ trust stores and your website will receive a warning message from whatever browser they’re using. On the other hand, if you’re using a private root for internal purposes, such as testing or for the IoT, it’s much easier to manage your own PKI rather than relying on a third-party CA.

Granted, most CAs have enterprise tools that allow a company to issue freely, as needed.

What’s the Difference Between a Hosted CA and an Internal CA?

The answer to this is similar to what we discussed in the previous section. Basically, it comes down to this, do you want to build an internal PKI or buy a hosted PKI service.

A lot of it comes down to your own resources and personnel. If you can afford to have someone, or a team, oversee the PKI, then it’s a great option because it provides you with a ton of flexibility in terms of issuance and deployment. But keep in mind, you’ll also have to pay for hardware, software, licensing and training. For a lot of smaller companies, this would be cost-prohibitive.

Hosted CAs offer a lot of the same benefits as an internal CA, the biggest difference is you’re offloading some of the expense of purchasing and maintaining hardware and software. Additionally, your certificates will be publicly trusted on account of the CA’s inclusion in trust stores. Not to mention, issuing a private certificate from a public CA costs a fraction of what a publicly-trusted certificate would cost.

Managing Certificates at the Enterprise Level

One of the biggest challenges facing Enterprises is visibility. You may have thousands of certificates deployed at any given time between your e-footprint and all of the devices that are connected. This is one place that going with a public CA has a definitive advantage. While there are third-party tools that will help with discovery, public CAs have spent years building their platforms to meet enterprise needs. Managing your own PKI is already enough of a challenge with visibility. Without it, you’re just inviting trouble.

RELATED: 11 Critical Mistakes to Avoid when setting up Enterprise PKI

Something else to consider, you may want to leverage public CA’s existing PKI while you build out your own. This allows you to rely on something that is tried and true while you work any kinks out of your internal CA.

One last thing to remember, if you are building your own PKI, give it room to grow. Don’t just design it for today’s needs, try to think about how it will scale to your organization’s future goals, not just the ones you’re pursuing today. And don’t forget automation, either. If you can’t automate certificate deployment you’re going to spend the majority of your time managing that. There are several good options for automation: RESTful API, Simple Certificate Enrollment Protocol (SCEP), Enrollment over Secure Transport (EST), and Microsoft AD Auto-enrollment.

If you have any other tips or observations, leave a comment.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.