Public Key Infrastructure: How does a PKI work?

Public Key Infrastructure: How does a PKI work?

A public key infrastructure (PKI) is a central part of corporate security in many places. Find out what a PKI is, how it works and how companies can find the right implementation. […]

Applications are increasingly running in the cloud and trust is growing among companies because they benefit from scalability, efficiency and availability. This trend also covers the security-critical public key infrastructure (PKI). Provided as a PKI-as-a-Service (PKIAAS) or cloud platform, it is available to companies as a framework. Sometimes, however, it is worth thinking about an on-premises PKI. So which solution is the right one for the specific application?

First of all, a solid security concept is based on securely identifying every person and every digital device, whether it is an application server, a vehicle or a refrigerator. The next step is based on this: it is necessary to secure the communication or connection between these units. Only with this foundation and its expansion stage can all other defensive measures in cybersecurity be effective. For this task, the public key infrastructure (PKI) has established itself as an anchor of trust.

The concept of public key infrastructure is based on a public key and a private key. The PKI verifies the identity of the key pair owner and then issues a certificate for the public key, which certifies the authenticity of the key pair. If the communication participants want to check the identities, they can use the PKI to query the authenticity of the certificates.

A public key infrastructure is always structured as a multi-level security pyramid. It begins with the Root Certificate Authority (CA), the subordinate certification body, authorizing the issuing CAs. After the identity has been successfully confirmed, these instances then generate the certificates for the cryptographic keys for the end devices and users.

So far, this IT security standard has been implemented locally in its own trustworthy data centers, which, however, requires the necessary know-how and personnel. This includes a lot of basic knowledge about how secure operating sites, secure data centers or hardened operating systems are set up anew for each implementation.

The basic concept of a PKI as well as the associated processes and guidelines have been used by millions of organizations over the past three years, with tens of billions of devices being used around the world. The use cases range from transferring credit card data when making an online purchase to operating a car alarm system via a smartphone app. Worldwide, these frameworks form the basis for countless secure and trustworthy transactions every second.

IDC estimates that by 2025 there will be 42 billion IP-connected devices in the Internet of Things (IoT) worldwide. The IoT devices cover a wide range of applications and must be protected.

Recently, many device manufacturers have been working on designing or adapting a public key infrastructure. The purpose: to secure the devices and the necessary associated services. This has led to a huge growth spurt for public keys and certificates. Industries are now trying to implement at least the necessary security controls via a standardized way. This can happen in the cloud, with companies faced with the choice of obtaining their PKI in the SaaS model or via cloud platform.


In order for a company to get the appropriate public key infrastructure from the cloud, it should specify and design the entire PKI in the first step. This also includes creating security policies. After that, the necessary system environments are defined as part of the design. This also includes operating concepts that take into account load analyses, geo-concepts and availability requirements, among other things.

With the findings from these preparatory work, it is now possible to derive a decision-making basis for the further operating model. The question to be answered is whether the company is going to the cloud, needs a PKIaaS or would rather stay in its own data center.

Suppose a company wants to use its public key infrastructure mainly to implement standard application cases that require little adaptation. In this case, a PKIaaS is recommended, so that it then issues the standard certificates for servers, TLS (Transport Layer Security) or the VPN. The implementation is simple, fast and costs little. After that, a fixed set of functions is immediately ready for use. Billing is per certificate or per device.

PKI from the cloud

If it becomes apparent that the implementation will be extensive or a use case is very special, then a cloud platform will come into focus. Special cases such as certificates that are not based on the TSL protocol can be mapped via API access. DevOps teams that need to integrate a PKI layer into a product often benefit from the possibilities of this option.

Via the cloud console, the IT team keeps an eye on all public key infrastructure components such as CA, Registration Authority (RA) and Validation Authority (VA) with the Online Certificate Status Protocol (OCSP) and the Certificate Revocation List (CRL). It can also map and control the on–premises PKI functionality in a cloud platform. Even a hardware security module (HSM) can be added to the cloud as a service.

If you decide to use a complete PKI platform that a cloud provider provides as an instance, you should check the billing model. It is advisable to purchase a single license for an unlimited number of certificates. So you pay less, while the platform scales better. This is relevant for companies that want to secure many IoT use cases. The provision of a PKI via the cloud accelerates the implementation for companies, while maintaining the necessary level of security. The integrated tools and the possibility of adaptation to the necessary hardware substructure as well as the consideration of availability simplify the provision of the services of a public key infrastructure.

The typical cloud promises of efficiency and availability are then fulfilled by a PKI both as a PKIaaS and as a cloud platform. In the cloud instance variant, for example, the Enterprise JavaBeans Certificate Authority (EJBCA) scores with the fact that the user can control and manage the entire PKI functionality and all certificates used – thanks to the cloud with an international footprint. This means that the user can implement and apply the cluster functionality globally with the cloud infrastructure.

However, the cloud does not make on-premises implementations obsolete. Therefore, local PKI should not be hastily excluded. If a public key infrastructure has to be available worldwide, local implementation appears to be a major challenge. But even that is still possible today thanks to distributed data centers.

An important question is: Is an infrastructure designed to handle incoming requests at all times? In e-commerce, many retailers (for example at Christmas) need significantly higher capacities in the short term than usual. On-premises, a large part of the resources would lie idle for the rest of the year if the company kept them permanently available.

However, if the volume of requests is continuously constant in a particular application and the necessary know-how is available in your own organization, then the local implementation could remain interesting. Before a selection is made, the best option from on-premises, cloud platform and PKI-as-a-service must therefore be evaluated individually in each case.

*Andreas Philipp is Business Development Manager at Primekey and responsible for the areas of Industry 4.0 and IoT solutions.

Ready to see us in action:

More To Explore
Enable registration in settings - general
Have any project in mind?

Contact us: