What Is PKI as a Service (And Why Do I Need It)?
1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
Loading...

What Is PKI as a Service (And Why Do I Need It)?

Managed PKI services offer the best of both worlds: the security of having an internal PKI to issue your certificates without the hassle of doing everything yourself

Many organizations want the advantages of operating a private PKI but aren’t equipped to handle the day-to-day responsibilities that accompany them. They want to issue certificates to secure internal resources whenever necessary but often aren’t prepared to handle everything that’s required to make that happen.

The Do-It-Yourself (DIY) route of creating and managing an on-prem private PKI isn’t for the faint of heart. It requires everything from managing secure facilities and software to buying expensive hardware and hiring additional (specialized) staff to set up and operate it.

One way to help you handle these private PKI-related issues and costs — or reduce them altogether — is to use a cloud-based PKI as a service solution. But what is PKIaaS and how could it benefit your organization? 

Let’s hash it out.

What Is PKI as a Service (PKIaaS)?

PKI as a service, also known as a managed PKI (mPKI) service or hosted PKI, is an offering that allows companies to quickly create, deploy, and operate a private PKI that a third-party service provider manages. Because it’s built using all the “P’s” — the PKI vendor’s pre-built tools, processes, policies, and platform — it’s much easier and faster to deploy than a DIY PKI.

PKIaaS is perfect for companies that don’t have the requisite in-house staff to run their own PKIs internally and is scalable enough to work for larger companies with increasing needs.

The PKIaaS approach to private PKI typically provides secure key storage through the provider’s hosted private cloud environment or data center(s), which saves substantial expense and hassle setting up hardware security modules (HSMs).

Simply put, PKIaaS is an (often better) alternative to traditional private PKIs run by in-house teams.

Let’s quickly compare some of the differences you’ll see when using on-premises vs outsourced PKI services using DigiCert’s Trust Lifecycle Manager as an example. (We’ll get more into these differences a little later.)

 Traditional Private PKIPKI as a Service (PKIaaS)
What It IsA private PKI that you set up, operate, and manage yourself using in-house resourcesA private PKI that’s created using a PKIaaS platform, so the service provider manages many of the PKI-related responsibilities
CostsRequires up-front capital expenditures along with ongoing operational expenses over timeOften cost-effective due to increased efficiency and reduced personnel and hardware expenses  
Personnel RequirementsRequires hiring, training, and keeping dedicated in-house PKI professionals with the knowledge and skills to set up and run your private PKIThe service provider’s team of PKI experts handles all of the backend systems and PKI setup and management  
Security and Compliance RequirementsHighly secure when implemented properly but requires specialized knowledge, skill sets, and both physical and digital security measures  Security and compliance are improved due to PKI experts’ combined knowledge and skill sets  
Hardware and Software Updates and UpgradesOn-prem hardware and systems that you purchase, set up, manage, and maintain yourself, and will depreciate over time  Systems are stored in a secure facility and are managed and monitored by the provider’s team of PKI experts
PKI ScalabilityRequires additional hardware purchases, software licenses, and other upgrades over time to grow with your business.Managed PKI is flexible and scalable, growing or changing with your company’s needs over time through the service provider  

A Quick Recap of Public Key Infrastructure

Before we go any further, let’s quickly review what PKI is for our newer readers: Public key infrastructure encompasses all of the systems that make data security possible over public and private networks. A typical PKI system includes:

In a nutshell, it’s the foundation of internet security that you can’t “set and forget;” it requires continuous monitoring and careful management of its digital assets.

Now, just to clarify, there are two primary ways PKI is commonly used:

  1. Public PKI refers to the infrastructure managed by certification authorities (CA) that are used to issue certificates for public uses (think SSL/TLS certificates). You’re issued publicly trusted certificates by one or more third-party CAs and have to manage them, but you have nothing to do with the uptime, security, or compliance responsibilities associated with operating the PKI architecture itself.
  2. Private PKI refers to the internal PKI infrastructure and certificate lifecycle management solutions operated within your business. This internal PKI issues privately trusted certificates. You typically either house your infrastructure on-premises or use a third-party service provider to house it off site (e.g., in public or private cloud, data centers, etc.).

NOTE: This article focuses strictly on private PKI for internal use cases within your organization and its IT ecosystem.

PKIaaS/mPKI Is All About Managing Your Internal PKI

While it’s true that some certificate lifecycle management (CLM) tools (which are generally included in PKIaaS platforms or paired with them) allow you to manage both public and private certificates, public certs aren’t the focus here. This article will focus on private PKI and the managed PKI approach to those services.

With a traditional on-prem, in-house PKI, you’re responsible for setting up and managing everything relating to managing your internal public key infrastructure — your root CA, issuing and/or intermediate CAs, hardware security modules (HSM), backup servers, etc. With PKIaaS, a managed service provider will handle these things for you, leaving you responsible for things like validating and issuing certificates, tailoring certificate profiles, and performing other customizations as desired.

What Does a Private PKI Help You Secure?

It’s all about digital trust for your internal environment. Your private CA enables you to issue and manage digital certificates that secure and authenticate your internal users and assets, including:

  • intranet sites
  • employees and other network users
  • on-prem and remote network devices
  • machine-to-machine communications
  • internal apps and services

PKIaaS Providers Often Differ in Their Approaches

In general, managed PKI services streamline the process of deploying and managing digital trust across your digital environment. Some trust service providers require you to manage these environments using separate tools while others enable you to manage them within a single pane of glass.

Some PKIaaS are certification authority (CA) agnostic, meaning you can use digital certificates from multiple CAs and it’ll manage them all the same. For others, they’re “purists” who only support their issued certificates.

With a robust managed PKI platform, you no longer need to manually track certificate deployments on spreadsheets. Instead, you can securely manage your PKI and certificates using a centralized system that enables automation to issue certificates faster.

Whether you’re a small, medium, or large company, PKIaaS is a great option if you lack the dedicated resources to securely set up and run one on your own. Simply put, PKIaaS is a way to outsource the management of these digital trust daily responsibilities while still enjoying the security, customization, and automation benefits it provides.

Traditional In-House PKI vs Cloud-Based PKIaaS

Cloud-based PKIaaS is a cost-effective alternative to the traditional on-prem private PKI companies often run in house. On-prem deployments that you do yourself typically require large capital expenditures (capex) and, increasingly, operational expenditures (opex) over time.

The scalability of using PKIaaS allows your internal PKI to grow with your organization, eliminating many of the hiccups that in-house teams deal with when managing and maintaining a system.

An illustration breaking down the responsibilities for in-house PKI compared to PKI as a Service (PKIaaS / mPKI)
Image caption: A side-by-side comparison of how you can manage your private PKI using either the traditional approach (e.g., using your in-house team) or using a PKI-as-a-Service provider. It’s a simplified (not fully inclusive) visual representation of some of the responsibilities a managed PKI service takes off your plate.

Traditional In-House, On-Prem PKI

A traditional on-premises private PKI is one you build, house, operate, and secure using in-house resources and personnel. However, this self-sufficient approach involves a lot of obvious and not-so-obvious costs and resource requirements:

  • Buying and securely storing costly equipment on site
  • Setting up your root CA, intermediate CAs and/or issuing CAs
  • Having staff with specialized knowledge to set up and configure everything in a compliant manner
  • Keeping and training in-house staff who can operate and maintain the systems
  • Running the day-to-day certificate lifecycle and key management operations
  • Dealing with PKI-related issues as they arise on your own
  • Upgrading infrastructure and increasing software licenses as needed to scale with the needs of your organization or business
  • Adhering to data privacy and security standards and regulatory compliance requirements

It also often involves either using a combination of third-party components and software or creating proprietary systems yourself. (Seriously, who has time for the latter?)

Sure, with the right know-how, you can manually set up your own certificate authority and get the ball rolling on an internal PKI. But this means that without a dedicated team of experts to handle that, other important projects on your plate will likely fall by the wayside, resulting in shifted priorities and missed opportunities to focus on other essential tasks.

PKI as a Service

In general, a service provider takes on the brunt of the responsibilities to simplify and streamline the processes for you. For example, a mPKI provider will take care of:

  • Setting up and maintaining the hardware infrastructure that’s stored in a secure facility (i.e., the provider’s on-site location or their secure third-party data center)
  • Configuring any necessary software and licensing to meet your organization’s needs
  • Creating and deploying the appropriate private CA hierarchy to enable issuing trusted certificates (root CA and one or more issuing CAs)
  • Creating and maintaining your CA services to ensure compliance
    • certificate policies/certification practice statements (CP/CPS) and audits
  • Providing pre-configured and customizable certificate profiles
  • Balancing usability while ensuring compliance

Each item on this list can be days of work, meaning weeks or months in terms of doing it from scratch. This hands-off approach frees you up to focus on other priorities and work on the things that only you can handle.

A basic graphic illustrating the costs and benefits of DIY PKI and PKIaaS (mPKI)
A basic illustration demonstrating the value of PKI as a Service (PKIaaS) for many enterprises and organizations.

Can You Switch from a Traditional In-House Private PKI to PKIaaS?

Absolutely. If you have a traditional PKI and want to realize the benefits of PKIaaS, then you’ll like this next bit of news: most PKI providers have connectors that allow you to pull in your existing roots and start modernizing your public key infrastructure. So, changing over is almost always an option if you’re ready to make the switch.

Breaking Down the Essentials: Who’s Responsible for What?

So, what are your responsibilities when it comes to operating your own in-house PKI versus using managed PKI services? Let’s break it down:

ResponsibilitiesTraditional On-Prem PKIPKI as a Service (PKIaaS)
Uptime of ServiceYou’re responsible for maintaining service uptimeYour mPKI provider is responsible for maintaining service uptime
Root/ICA Key ManagementYou’re responsible for securely storing and managing your Root and ICA keys (ideally, using an HSM)The PKIaaS provider stores and manages your root and ICA keys using their secure hardware
Leaf Key ManagementYou’re always responsible for managing your endpoint certificate keysYou’re always responsible for managing your endpoint certificate keys
Certificate Lifecycle ManagementYou’re responsible for managing all digital certificates, including your root and ICA certificatesYou’re responsible for managing your leaf (endpoints and users) certificates. Root and ICA certificates are at least partially managed by the provider.
IntegrationsYou’re typically responsible for building certificate automation and integrations in your systemsMost PKI providers offer a wealth of pre-built integrations you can use
Access ManagementYou’re responsible for managing your users and figuring out how to integrate with Active Directory or InTuneSome PKIaaS platforms often integrate with Active Directory (AD) and Microsoft InTune
Certificate ProfilesYou’ll be responsible for creating and maintaining any certificate profilesSome PKIaaS providers have certificate profile templates, which you can customize as you choose
Hardware Acquisition and ManagementYou have to buy, set up, and configure your servers, load balancers, HSMs, and other hardwareThe managed PKI service provider uses its secure hardware so you don’t have to worry about it
Validation Infrastructure Management and MaintenanceYou’re responsible for keeping a CRL/OCSP server availableThe mPKI provider is responsible for handling this
IT and Cybersecurity Operations (Updates and Patches, Firewalls, etc.) Relating to the PKIYou’re responsible for everythingThe PKIaaS provider handles your PKI IT and cybersecurity operations on the back end
Creating and Maintaining PKI Policies and ProceduresThis is all on you, including any audits and your CP/CPS documentsThe mPKI provider will take care of all this for you, including your CP/CPS and audit documents
Failovers and BackupsYou’re responsible for handling these tasksThe service provider will handle these tasks for you
Software Acquisition and LicensesYou’re responsible for handling this, tooThe PKIaaS provider can offer this at a cost
SupportYou handle this using your in-house team or will have to hire a third-party providerSupport is included as part of your PKIaaS plan
Admin and End-User TrainingYou’re responsible for training your staff or hiring a third party to do itPKI service providers typically offer this service at a cost

Why PKIaaS Is Needed: 8 Benefits of Using Third-Party PKI Services

There are plenty of reasons why businesses turn to PKIaaS to outsource their internal PKIs:

1. PKIaaS Is Usually More Cost-Effective Than DIY

Running your own private PKI from the ground up isn’t cheap. Think of the servers, hardware security modules (HSMs), backup and failover systems, data storage, and everything else that goes into building and maintaining a private CA.

  • It could cost you tens of thousands of dollars to purchase a single HSM, let alone pay any of the other expected costs and hidden expenses that are sure to pop up.
  • As your system ages, there will be costs associated with its maintenance and updates. We’re talking about hidden or unexpected costs that can seemingly crop up at random…

2. Costs Are Predictable With PKIaaS

Venafi estimates that the average total hidden cost of legacy PKI systems is $687,500. Imagine how high those estimated costs will be in another 5-10 years (yay, inflation) — or worse, once cryptographically relevant quantum computers (CRQCs) have finally entered the game. (Although, in all fairness, you should already be taking steps now to prepare for quantum computing by implementing PQC hybrid certificates within your private PKI.)  

PKIaaS reduces your capital expenditures because you won’t need to purchase those hardware items. Instead, you’d rely on cloud-based services that are hosted by a trusted service provider such as DigiCert.  These services are provided often at a fixed, predictable rate. This means no unexpected costs or surprises that will eat away at your budget.  

3. Ensures Your PKI Meet Industry Standards & Compliance Requirements

PKI is a highly specialized field that requires having up-to-date knowledge of the latest regulatory requirements, standards, and best practices. Unfortunately, general in-house IT teams often know just enough to be dangerous.

In-house deployment teams are 100% responsible for provisioning, launching, and maintaining your PKI systems and all of the technologies they touch. If they don’t do it in a compliant way that checks all of the boxes, then you’ll find your brand up an aptly named brown creek without a paddle.

One of the biggest challenges of operating your own internal PKI is that no one person can know everything. It takes a team of people with varied skillsets, experiences, and areas of knowledge to provide the comprehensive security necessary to protect your public key infrastructure. This breadth of knowledge includes everything from knowledge of specific industry standards and frameworks (think IETF and NIST [for federal agencies and contractors], etc.) to specific relevant industry or regional data privacy regulations (e.g., GDPR, HIPAA, PCI DSS, etc.).

Each of these standards or legal requirements specifies important aspects of IT and data security that must be considered when implementing a secure PKI to protect your internal resources. This is why it’s often best for organizations to consider using a PKI as a service provider who can cross the T’s and dot the I’s to ensure everything is done properly.

4. Helps You Avoid Having to Hire Specialized Staff

One of the biggest benefits of using PKIaaS is that you don’t have to worry about hiring specialized in-house PKI experts to operate your internal infrastructure. Instead, you can leave the specialist work to the outsourced managed PKI services experts and your existing internal team can focus on handling everything else that helps keep your business running.

5. Alleviates Hardware Installation, Setup, and Maintenance Responsibilities

Does setting up one or more HSMs sound like a fun way to spend your workday? What about carrying out monotonous updates and maintenance on every device, server, and PKI system? If you’re like most admins who already have too much on their plates, I’m guessing your answer will be no.

One of the greatest advantages of outsourcing your PKI services is that it takes a load off your shoulders when it comes to securely managing and maintaining your secure tech. You get to hand over the reins to a compliant service provider and check another item off your list of responsibilities.

Your PKI can be hosted in the service provider’s cloud environment or at a secure third-party data center. PKIaaS providers commonly store their servers in standards-certified secure data centers, keeping your PKI centers physically secure from threat actors.

6. Pre-Built Tools and Policies Take a Load Off Your Plate

Don’t have the time to dedicate to crafting individual certificate profiles and policies from scratch? You don’t have to with the pre-built certificate lifecycle management tools and policies through a managed PKI service provider like DigiCert. You can use these resources as-is or customize them to meet the needs of your organization.

So, what are some examples of these pre-built tools and policies?

Certificate Automation Plugins and Integrations

PKIaaS solutions (like DigiCert’s Trust Lifecycle Manager or Sectigo Certificate Manager) enable automation through plugins and integrations with other third-party products and services. Some examples of these integrations include:

  • Apache
  • NGINX
  • IIS
  • AWS
  • F5
  • Microsoft InTune
  • Microsoft AD CS
  • HashiCorp Vault
  • Jenkins
  • Service Now
  • Let’s Encrypt
  • Qualys
  • Tenable

Revocation Mechanisms

With a PKIaaS solution, you won’t have to build or maintain your own OCSP server or CRL lists.

7. Simplifies Digital Certificate Management & Issuance

As of January 2024, 91% of Keyfactor’s survey respondents indicated they were “deploying more cryptographic keys and digital certificates than ever before[.]” Data from the company’s 2024 PKI & Digital Trust Report shows that the average surveyed business has 81,139 internally trusted certificates from seven internal ICAs.

As you can imagine, having more certificates within your internal IT environment and networks means more things that can go wrong when these assets are improperly issued or mismanaged.

PKIaaSenables you to specify which employees or users are authorized to issue certificates for your internal uses. You also can have it set to where you have to manually approve certificate signing requests (CSRs) or automatically issue them from a trusted registration authority (RA). PKI automation tools also allow you to manage your public PKI certificates that have been issued by public CAs. 

Not all managed PKI platforms and service providers are the same. Some are provider-specific, meaning that they only support certificates from that individual provider while others are CA agnostic (i.e., they support certificates issued by multiple CAs).

Using a unified certificate management tool gives you greater visibility of your organization’s digital trust environment, regardless of CA brand, and can help you avoid costly shadow IT/certificate-related issues, service outages, and reputational harm.

8. Provides Crypto Agility and Scalability

As your company grows or changes, so, too, will your PKI needs. You’ll need more hardware, software licenses, and the skills required to configure and operate everything at scale. You also will require crypto agility to quickly and easily update your PKI in alignment with PQC-related industry changes and the growth of your organization. 

PKIaaS keeps you compliant. Standards change every year (just think of the S/MIME baseline requirements and PQC standards changes as a couple of examples), and PKIaaS providers update platforms to meet requirements without you having to install patches or do development work.

With PKIaaS, you can deploy new issuing CAs (ICAs) and certificates whenever necessary to meet your needs without having to set up additional hardware or deal with additional software licensing. Your service provider will handle everything on the backend for you, leaving you to focus on your other responsibilities.

And since organizations scale at different rates, some managed PKI service providers offer pay-as-a-go services or unlimited certificates that enable you to boost or downsize your PKI as needed. This makes it a more cost-effective option to only pay for the certificates and services you actually need.

When Is PKIaaS Not a Choice?

While PKI as a Service may be an option for some businesses, this approach may not work for every organization. There are times when having a DIY PKI makes more sense and we’d be remiss if we didn’t at least mention them:

  1. You only have a handful of certificates to manage. If you’re a small business that can practically count the total number of certificates you have using your fingers and toes, then this solution really isn’t for you.
  2. If you already have full-time team members on staff with the necessary expertise to set up and run your PKI. If you’ve already got the “big guns” on your team, then it’s likely that you won’t need to rely on third parties. 
  3. If you have other unique requirements or circumstances that PKI solutions don’t fit. There may be other circumstances or technological requirements that make it where a PKIaaS solution isn’t an option for your business.

If your organization fits one of these scenarios, then PKIaaS likely isn’t a service for your use case. If you have a unique situation where you have the staff in place and the incremental cost of running your own PKI is low, then a managed PKI might not work for you.

Final Thoughts on Migrating to PKI as a Service

The bottom line is that your PKI needs to be viable, cost-effective, and scalable. Outsourced managed PKI services provide businesses with a wealth of on-demand services while giving them back their most valuable asset: time.  

PKI as a service helps you avoid some of the costly mistakes other businesses make when using “home-grown” PKI solutions and in-house teams. If you’re relying on people who don’t have the specialized skills, knowledge, or experience of setting up and operating a private CA, then you’re likely to see mistakes and misconfigurations along the way.

The same can be said when scaling your PKI, too. These things can cost you dearly through failures that result in data breaches and non-compliance-related issues.

Be the first to comment

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.