Public Key
Infrastructure (PKI)

The Challenge

Public Key Infrastructure (PKI) has been around for decades but increased regulations, standards, machine identities, digital transformation programs and the ever-evolving cyber threat landscape is having a significant impact on the way that PKI must be deployed and managed.

New PKI use cases are demanding that the PKI implementations adapt to the increased demand for trust. With increased focus on cloud-based applications, device credentialing and authentication, code signing, the role of the PKI is becoming even more critical.

Implementing a PKI requires specialist skills and is made up of far more than just a technical installation. Our experience shows that customers often neglect best practices which lowers the trust that is placed in that PKI.

For example:

  • No policies or processes to govern the PKI
  • No operational build documents and lifecycle processes
  • Not securing the Root Certificate Authourity keys
  • Not configuring the Certificate Authorities effectively

Use Case

These business-critical applications make it clear that PKI is a strategic part of the core IT backbone.

  • SSL certificates for public-facing websites and services
  • Private networks and virtual private networks (VPNs)
  • Zero Trust
  • IT/OT Security
  • Email security
  • Enterprise user authentication
  • Device authentication
  • Private cloud-based authentication
  • Document/message signing
  • Code signing

There has also been a resurgence of PKI from DevOps-related use cases that are driving increased adoption, such as:

  • Cloud-based services
  • Consumer mobile
  • Internet of things (IoT)
  • Consumer-oriented mobile applications
  • Bring-your-own-device (BYOD) policies and internal mobile device management
  • e-commerce


SSS has developed the unique ability to implement and configure both on premise PKI as well as Managed Service PKI offerings. SSS staff have extensive experience in deploying PKI for global organisations in government and the private sector. The PKI implementation service includes the supply, installation and configuration of the selected software components, hardware security modules and configuration of certificate distribution points for validation.

At the heart of any PKI is the Key Generation Ceremony, which is a controlled and auditable process used to generate the necessary keys to establish a trusted PKI. SSS provides guidance on the type of key generation ceremony that should be used, based on the level of assurance that is required from the PKI. SSS has the experience and skillsets to develop and review key generation ceremony scripts to meet the stringent requirements of highly classified government environments and large financial organisations. SSS can also address the needs of smaller organisations that do not need this level of complexity or security requirements.

SSS can review existing PKI implementations to providing a clear understanding of what has been deployed and if the PKI is fit for purpose. This includes a view on the current state of the PKI and its suitability to meet business needs and as an output we identify and provide recommendations where improvements could be made.

During this engagement, SSS conducts a review of the current PKI practices, PKI governance, the PKI consumption and the organisation structure that manage and approve requests as part of the Certificate Lifecycle. SSS will distribute questionnaires to facilitate information gathering and then collate the responses for inclusion in the final report. As an outcome, you will have;

  • a comprehensive assessment of the current PKI technical implementation,
  • understanding of the extent of the PKI consumption by the business units,
  • a view of the existing PKI organisation, and
  • a PKI report containing recommendations for remediation.

Our review is conducted in a pragmatic way, understanding that most businesses don’t require a PKI that needs to be trusted publicly. We ensure that your PKI is appropriate to your business and if not, make recommendations to get it that way.

SSS has extensive experience in PKI design and creating the associated  documentation including the technological, procedural, physical, personnel and audit functions and controls. This design is based on organisational use cases to balance the need for a secure and trusted infrastructure with a right sized, usable and functional service. The design process includes comprehensive design workshops to confirm the PKI hierarchy, levels of assurance and use cases that are required for the PKI.

Because the security requirements and risk postures often vary between organisations and even within business units, our design process incorporates a risk-based approach to ensure the right amount of security is incorporated to match the risk profile. We also ensure that the design will cater to  both current and future use cases. SSS has created a matrix showing portraying the levels of assurance matrix based on our experience and international standards and best practices that provides guidance on what each level means and the associated security controls/practices.

In addition to the technical component of a PKI implementation, the creation of policy artifacts satisfies the procedural aspect of PKI and is of equal importance.

Prior to deploying any CA or issuing a certificate, the policy which governs the use of the PKI must be defined. A policy usually takes into consideration regulatory and industry requirements as well as unique organisational requirements. The policy will usually specify technical aspects of the PKI such as the cryptographic algorithms that must be used as along with the operational controls for the CAs. CA-specific policies may be required before implementing the PKI to ensure that the required level of trust is established. These policies may be expressed differently depending on the required level of assurance. They can be expressed either as documented statements about certificate usage and issuance controls for a simple internal CA or as a formal Certificate Policy/Certification Practice Statement that follow IETF Public Key Infrastructure X.509 Certificate Policy and Certification Practices Framework (RFC 3647) with accompanying standard operating procedures.

As part of the SSS review process, we assess the existing policy artefacts against the documented current and future use cases and assess the documented technological, procedural, personnel, physical and audit controls against applicable standards, industry norms and the risk assessment (if one has been conducted).

For new or existing PKI, SSS can create the policy artefacts required to establish a trusted PKI to meet current and future business needs. Our policy artefacts such as Certificate Policy, Certificate Practice Statement and Key Management Plans are based off industry standards such as RFC 3647 and NIST 800-57.

The ability to design and manage a PKI is highly dependent on the skills and knowledge of those managing it. SSS has partnered with the PKI experts at PKI Solutions to build your PKI knowledge and increase your skills.

Together we offer the most up-to-date PKI training available, focusing on Microsoft Active Directory Certificate Services (ADCS) and Windows Server 2012 R2 – Windows Server 2019. All classes have a strong emphasis on security, best practices, and hands-on skills labs. There are different options to meet your needs.

The Microsoft PKI In-depth Online Training course is a deep-dive into PKI and Active Directory Certificate Services (ADCS) by focusing on building knowledge and skills with all of its features. There is a strong emphasis on security, best practices, and hands-on skills labs.

The Microsoft ADCS Advanced Online Training course is recommended for anyone who has taken the PKI In-depth Training class or is already familiar with Microsoft ADCS and is comfortable in a lab environment working with Certificate Services.

SSS provides subject matter experts in PKI and Certificate management to develop a PKI strategy and roadmap to guide the implementation and use of PKI.

The SSS PKI strategy approach includes considerations for strategic goals, policy alignment, implementation frameworks and key adoption principles.

The PKI strategy will address, inter alia the customers approach to PKI in relation to:

  • PKI Use cases and consumers of certificates
  • Sources of PKI that may be used
  • Trust and Levels of Assurance required
  • PKI Governance responsibilities
  • PKI Compliance requirements
  • On-premise and Cloud PKI migration and use cases
  • Crypto Agility
  • Post Quantum Cryptography

Our Partners

  • partner-logo-entrust
  • partner-logo-microsoft
  • PKI Solutions_logo

Want to know more about our PKI solutions & services?

Contact Us