PKI and Certificate Lifecycle Management aren’t the hottest or sexiest topics, but they are a fundamental part of any well-run security program. Below, we will outline five important principles that will ensure you are on the path to a successful PKI deployment.
1 – Understand the importance of people and process for your PKI
In the popular television series MacGyver, the title character uses basic materials in inventive ways to solve all kinds of problems. It became so popular that the creative repurposing of everyday items is now widely known as “MacGyverisms.”
While improvising is not the way to operate a PKI, the skill of people is far more important than the actual product. Most people make the mistake of giving too much attention to the question of which product to choose, while neglecting who operates it and how. The real capital is your human capital. Your people and processes can easily break even the best product — or make the most out of a relatively poor one. The most skilled experts can go beyond that and find value adds, or write their own to overcome a product’s limitations. In addition, they can advise you on product selection and configuration, suggest optimal processes, train replacement staff and so on.
The secret to a successful PKI is to have skilled people applying sound processes to properly operate good technology. People will account for roughly half of what you need for success, processes for another third — leaving only one sixth for the technology.
2 – Understand the principles of assigning responsibility and fostering teamwork
Have you ever encountered this situation? Imagine that some client computers need a certificate to authenticate themselves to a VPN, and the VPN servers need certificates to authenticate themselves to the clients. The PKI team signs the certificate requests and publishes the means to validate the certificates. The VPN server attempts to validate the client certificates to see if they can be trusted, and vice versa. Both need connections to the PKI to access the validation mechanisms, renew the certificates, etc.. There may or may not be firewalls in the way, managed by yet another team.
Then an outage occurs, and it’s certificate related. Every team points the finger at each other, and chances are they are all partially right.
The fact is, assigning responsibility for certificate management to any single team doesn’t work. The subscriber — the one that needs the certificate in the first place — has the most responsibility for that certificate, but they may still depend on the services of others.
Teamwork is everything. If you can navigate through the often-complex sharing of responsibility and get all parties to collaborate in just the right way, you’ve taken a major step on the path to PKI success.
3 – Put the certificate in the spotlight, but give special attention to the private key
Behind every star there’s an unsung hero that does a lot of the work that makes the star shine.
The unsung hero behind the certificate is the private key. It needs to stay out of the spotlight but is equally important. If neglected, problems with the private key can put both it and the certificate out of commission. The private key signs messages so others know they come from you, and it decrypts messages from others so they can send them to you securely. If you forget it exists, lose track of where it is, neglect backup or security arrangements or otherwise cause the private key to be unable to function, the certificate also becomes useless.
Another common mistake is to secure the certificate instead of the private key. The certificate needs no confidentiality and can take care of its own integrity. If anything, its security comes from making it as public as possible.
Put the certificate in the spotlight, but don’t forget to secretly give the private key the tender loving care it needs, and you’re on the way to making the combination work for you in harmony.
4 – Pay close attention to the validity of your certificates, and how they are validated
Suppose you are traveling abroad but your passport has expired. Or perhaps the customs officer can’t check the list of passports that have been revoked, or they simply don’t trust your country. That would probably ruin your trip, right?
The same goes for certificates. They’re valid for a limited time, and the validity of the authentications depends on the other side (the relying parties) believing you. It’s this principle of trust that is the cornerstone of any PKI operation. To get this trust, the relying party must be able to check all the Certificate Authority (CA) certificates and Certificate Revocation Lists straight up to the Root CA, which means it has to be able to reach the places where they have been published. Finally, it needs to have the Root CA in its list of trusted Root CAs.
In turn, the Certificate Revocation Lists (CRLs) also have a limited lifetime. If they expire, all certificates issued by that CA and the ones below instantly are untrusted — which generally causes a major outage.
Understand and respect the principles of trust, and your PKI journey is one step closer to success.
5 – Keep your design balanced and in harmony with the purpose of your PKI
Imagine you’ve built your PKI to the default standard or based on a white paper by a respected authority. Any modifications you made were diligently researched with respected authorities or your suppliers. Yet somehow, the result is not what you expected. You see certificates that shouldn’t be there. Usages that should not be possible. It’s more expensive than you expected. You might get the occasional outage. It doesn’t quite work for you.
The problem is twofold: First, the quality of the knowledge available is a mixed batch. Some is very good, but other information is out of date, mistaken or misleading. One of the common problems is that many authors are tempted to recommend making a setting that is sure to work, but turns off some detail of the security or configuration.
The other problem is that white papers are generic by definition. They are not necessarily aligned with your overall plans, or even with any coherent plan. The end result of following several different experts may very well be a haphazardly thrown together and unbalanced PKI.
There are many examples of unbalanced PKIs: Over-investing in security posture or features for a purpose where you don’t need them, leading to a PKI that is just too expensive. Under-investing, leading to an insecure PKI — or one that cannot deliver the functionality you need. Investing heavily in boxes but then making bad configuration settings on them. Giving too much attention to one aspect of the PKI setup, which doesn’t leave enough time or resources to invest in everything else that is important. The list goes on.
To avoid these situations, define an overall security posture and balance all your processes and settings with it. By all means, do your homework when you stand up a PKI or make a change, but understand why the authors want you to do something and what effect it has. This way, you can make your own choices if you want to follow their advice or pursue an alternative. Pay attention to the details and document not only what you did, but why you did it. You will find that you will get a PKI that is balanced and runs like clockwork.
Putting it all together
Pay close attention to your people and your processes, because they are key to your success. Assign responsibility carefully and foster teamwork between the different teams involved. Put the certificate in the spotlight where it belongs, but quietly give tender loving care to the private key to keep everything running smoothly. Pay attention to the validity and trust of your certificates and the ones you’d like to trust. Finally, ensure that your design is balanced and aligned with the underlying purpose for your PKI.
If you make a concerted effort to master these five steps, you will have a roadmap to operating a PKI successfully.
Special thanks to Vasco Gomes for reviewing on the technical content, Jon Luebke for textual advice, and Mathilde Cadrouil and Laurence Begou for facilitating the blog.