Enterprise PKI Setup Guide

TL;DR

This guide covers setting up a Public Key Infrastructure (PKI) for your business. It focuses on security, scalability and ease of management. We’ll cover planning, certificate authority setup, key lifecycle management, and revocation processes.

1. Planning Your PKI

1. Define Scope: What will the PKI be used for? (e.g., email security, code signing, VPN access, internal authentication). This determines certificate types needed.
2. Certificate Types: Choose appropriate certificates:
   • Root Certificates: The foundation of trust. Highly secured and offline.
   • Intermediate Certificates: Used to sign other certificates, extending the root’s trust.
   • End-Entity Certificates: Issued to users, devices, or services.
3. Hierarchy Design: A multi-tiered PKI (Root -> Intermediate -> End-Entity) is recommended for security and scalability.
4. Key Lengths & Algorithms: Use strong cryptography. RSA 2048 bits or higher, or ECC with equivalent strength are standard. SHA256 or stronger hashing algorithms should be used.
5. Certificate Policies (CP) / Certification Practice Statements (CPS): Document how certificates will be issued, managed and revoked. This is crucial for auditability and trust.

2. Setting Up Your Certificate Authority (CA)

1. Choose CA Software: Options include OpenSSL, Microsoft Active Directory Certificate Services (AD CS), EJBCA, or commercial solutions.
2. Hardware Security Module (HSM): Strongly recommended for Root CA to protect the private key. HSMs provide tamper-resistant storage and cryptographic operations.
3. Offline Root CA: The Root CA should be kept offline except for infrequent certificate signing. This minimizes risk of compromise.
4. Intermediate CA Setup: Configure Intermediate CAs on secure servers. These will handle the bulk of certificate issuance.

   openssl genrsa -out intermediate.key 2048

   openssl req -new -x509 -days 3650 -key intermediate.key -out intermediate.crt

5. CA Configuration: Configure the CA software with your defined policies, key lengths, and algorithms.

3. Key Lifecycle Management

1. Key Generation: Use cryptographically secure random number generators (CSRNGs) for key generation.
2. Key Storage: Protect private keys with strong access controls and encryption. HSMs are ideal.
3. Key Rotation: Regularly rotate keys to limit the impact of potential compromise. A typical rotation period is 1-5 years.
4. Backup & Recovery: Implement secure backup procedures for CA keys and databases. Test recovery processes regularly.

4. Certificate Issuance

1. Certificate Signing Requests (CSRs): Users or devices generate CSRs containing their public key and identifying information.
2. Validation: Verify the identity of the requester before issuing a certificate. This can involve manual checks, automated database lookups, or integration with existing identity management systems.
3. Certificate Signing: The Intermediate CA signs the CSR to create an end-entity certificate.

   openssl ca -config openssl.cnf -extensions v3_req -days 365 -in request.csr -out certificate.crt

4. Certificate Distribution: Distribute certificates securely to users and devices (e.g., via secure web server, email with encryption).

5. Certificate Revocation

1. Revocation Lists (CRLs): Regularly publish CRLs containing revoked certificate serial numbers.
2. Online Certificate Status Protocol (OCSP): Implement OCSP responders to provide real-time certificate status checks.
3. Automated Revocation: Integrate with your systems to automatically revoke certificates when users leave the company or devices are compromised.
4. Testing Revocation: Regularly test the revocation process to ensure it is working correctly.

6. Monitoring and Auditing

1. CA Logs: Monitor CA logs for suspicious activity.
2. Certificate Usage: Track certificate usage patterns.
3. Regular Audits: Conduct regular security audits of your PKI to identify vulnerabilities and ensure compliance with your policies.
   • Review CP/CPS documents annually.
   • Penetration testing.