What is a Public Key Infrastructure?
A Public Key Infrastructure (PKI) is a security infrastructure that provides services for the secure exchange of data between communication partners. With the help of the Public Key Infrastructure, certificates and the affiliation of public keys can be checked, thus enabling the secure and encrypted exchange and signing of data on the Internet.
The Public Key Infrastructure provides services to reliably verify the affiliation of public keys and the authenticity of certificates. The Public Key Infrastructure also provides directories for storing certificates or certificate revocation lists. Data is encrypted and signed using asymmetric encryption methods.
Typical use cases are identities that are logging on to networks and servers, establishing VPN connections, or encrypting and signing e-mails. All these usages can be integrated into and supported by a PKI. The solution provides a system that creates and manages identities for employees, customers and partners throughout the company in end-to-end workflows and makes them available to users or applications.
How does a Public Key Infrastructure work?
The principle of a public key infrastructure is based on asymmetric encryption. In this case, a key pair is created for everyone who wants to communicate in encrypted form. This consists of a private (secret) key and a public key. These are generated in such a way that a file encrypted with the public key can only be decrypted with the corresponding private key. It is also possible to digitally sign a file with the same private key. The associated public key can then be used to check whether the file has been unchanged since it was signed.
A digital certificate contains the public key of such a key pair and also other information, such as who issued the certificate, for whom it was issued and the validity period. If two communication partners want to send messages to each other securely, they exchange their certificates and are thus given the opportunity to encrypt messages in such a way that only the other can decrypt them. In addition, they can also verify each other’s digital signature.
In order for the certificates to be exchanged, however, the communication partners would have to know each other and find a secure way of exchanging them to ensure that they actually receive the certificate of the person or institution with whom they want to communicate.
Public Key Infrastructure enables secure communication
This is where a public key infrastructure comes in and enables certificates to be exchanged even if the communication partners do not “know” each other beforehand.
In a public key infrastructure, i.e., a hierarchy of certificates, a root certificate with an associated key pair is created at a location that is trusted by all participants, a so-called certificate authority (CA). This root certificate can be used as a trust anchor. Further certificates in this PKI are signed with the private key belonging to the root certificate. Such a signature for a certificate is only issued if all the requirements specified by the Certificate Authority have been met. These include, among other things, proof of the identity of the person who wants to use the certificate and that he or she stores his or her private key securely.
Public Key Infrastructure with IT District
The introduction of a Public Key Infrastructure (PKI) is reasonable for companies to secure communication across applications and networks. The PKI ensures efficient and secure management of the keys and certificates required for authentication. To ensure that the introduction goes smoothly and that the PKI meets the requirements placed on it, there are a few things to keep in mind.
In the following, you will learn which aspects need to be considered when introducing a public key infrastructure:
Identification of the systems to be integrated
We start with a detailed assessment of the current situation. In collaboration with you, we identify all the systems and applications to be integrated into the public key infrastructure. As part of the inventory, we determine which applications, systems and data are to be protected. Applications can be VPN access, e-mails, or even electronic invoices to be digitally signed (e.g., XRechnung). To increase network security and protect data, encryption of stored or transmitted information is necessary. The public key infrastructure must support all these applications and provide and manage the required certificates or keys.
Clarifying legal and compliance requirements for a public key infrastructure
The vast majority of organizations and companies must adhere to strict legal and compliance requirements. The Public Key Infrastructure needs to be able to comprehensively fulfill these requirements, specifications and policies. Other operational requirements for the PKI system are the number of certificates to be managed and the desired (high) availability of the solution. With our expertise, we ensure that your PKI meets the formal and legal requirements.
Linking of multiple public key infrastructures
For the design of a powerful and highly secure public key infrastructure, we first clarify whether the public key infrastructure should function as a stand-alone solution or be networked with other PKIs. Interfaces and communication paths must be available for interaction with other systems.
PKI On-Premise or as Managed Service
A certificate authority (CA) can be operated either in-house or as a managed service from a managed public key infrastructure. Internal solutions require the appropriate know-how, which can be kept on hand or obtained from us.
With a “Managed PKI” from IT District, your own efforts are minimal – a good and secure choice for many companies and organizations. You use the Public Key Infrastructure as a managed service – we take care of everything else according to the agreed service levels.
Testing and go-live of the Public Key Infrastructure
After the functional and technical design of the Public Key Infrastructure solution, we work with you to create a test and go-live concept, because the changeover needs to be well planned, and employees or other users of the system need to be involved. For all users and applications, we transfer the certificates to the Public Key Infrastructure or generate them completely new.
Before going live with the Public Key Infrastructure, we perform various functional, availability and load tests – based on a jointly developed test plan – and inform the users. In this way, we proactively prevent unforeseen problems from leading to restrictions in daily work or to production downtimes.
Productive operation and maintenance of the solution
Issued keys and certificates are sometimes still valid for a few months, sometimes for several years. In collaboration with you, we identify and define appropriate backup processes, administrative tasks and instructions for action in the form of an operations manual. In some cases, expired keys or certificates are also required: In the case of archiving and backup solutions, it may be necessary to be able to fall back on the keys that were valid at the time in order to decrypt older data records.
In order to be able to run a Public Key Infrastructure securely and with manageable effort, we create appropriate scripts (e.g., with Microsoft PowerShell) to automate routine tasks or rely on powerful tools.
Decommissioning of certificates
Part of the productive operation of a public key infrastructure solution is that certificates must be automatically decommissioned based on a flexible set of rules. This typically occurs when people leave the company or when devices and systems are decommissioned.
Microsoft Active Directory Certificate Service (ADCS)
Many of our customers require a secure public key infrastructure in a Windows environment. In these cases, the Microsoft Active Directory Certificate Service (ADCS) is the ideal solution.
In numerous projects, we have been able to gather extensive experience on how Microsoft Active Directory Certificate Service can be used in the best possible way in everyday life. We support you in automating your processes and self-services with tools and scripts, or in selecting and implementing a suitable identity and access management solution and/or privileged access management solution.
Typical use cases of a Public Key Infrastructure
- Secure logon to the work computer (Windows logon)
- Secure access to corporate networks such as WIFI and VPN
- Strong authentication for cloud services or local applications
- Email encryption and signing
- Digital signing of documents and transactions
- Organizational sealing
- Secure communication between network components in the enterprise environment (servers, end devices, interfaces, routers)
Public Key Infrastructure – a “must have”
Most IT security procedures have one thing in common: they require keys. A Public Key Infrastructure provides all the technical and organizational factors needed for such key generation and certification. In this respect, a Public Key Infrastructure is not just a component, but the foundation for a secure infrastructure for your company.
Utilize our expertise from numerous projects and secure your business!
