Blog

PKI Operations
31 May 2019

PKI Operations

/
Posted By
/
Comments0

PKI Operations refer to the capability of the organization to Deploy, Sustain and Expand PKI services. In other words,its a potentiality of an organization to utilize the PKI services into their environment to keep the services up and running. It comprises of all the processes from designing of PKI system to testing it.

There are some risks involved if PKI Operations are not performed:

  • ADCS component failures requiring installations of new replacement components may not be completed in a timely manner increasing service outage durations during recovery process.
  • CA application failures may not be noticed and reported in a timely manner increasing response and remediation times leading to increase outage durations.
  • Service level agreement failures related to issuing, renewing or revoking of certificates in a timely manner.
  • Certificate revocation notification failures leading to services relying on certificates validation failure and acceptance.

Below are the PKI Operations tasks that are performed at different stages and periodic execution of the services makes it robust, scalable, secured and a reduced risk infrastructure.

Stage Tasks Description
Architectural
  • Adding a new CA
  • Adding a new CA Template
  • Uninstall a CA.
All the changes that are to be done to an existing PKI system.
Maintenance
  • Renew CAs.
  • CA Backup & Recovery.
  • Publish CRLs on Root CA& Issuing CA.
All the operations that need to be done to keep a check on service (like updation) and therefore get un-interupted services from CA.
Testing
  • Check for PKI Health.
Check for Certificate status in CDP containers, AIA container, etc.

 

Below are the tasks that are performed under the PKI operation processes at different stages:

Task Description Schedule
(How often\Frequency)
Estimated Task Execution Duration
Backup & Recovery of CA’s.
  • Takes the backup of:
  • Database
  • Private key backup for  HSM’s
  • CA Policy File
  • Configuration Registry Hive
  • Certificates
  • Templates details for Issuing CA
As Needed

  • Every PKI system needs to have a effective disaster recovery plan so as to make sure if there is a system failure, we can recover it in time scaring minimal effect on the organization.
  • If CA application failure happens than it won’t be able to issue any certificate so DR plan needs to be implemented which will include taking the CA Backup and testing recovery on different system.
  • The backup of CA plays a principal role when a CA needs to be migrated (in case of service failure) onto a different server as well as when building or adding another Issuing CA to have high availability. So that if one CA gets compromised then the whole system doesn’t go down.

 

4 Hours

(May vary with organization)

CRL & AIA Publications of Root &Issuing CA

 

 As one of the best practices for PKI operations, the CRLs of Root CA needs to be published every 6 months manually so that the updated CRL gets pushed in the environment.

 

Every Half Yearly

(manually)

1 Hour

(May vary with organization)

Renewal of Root CA and Issuing CA.

 

Root CA:  Renewal of Root CA Key pair.

SubCA:  Renewal of Issuing CA Key Pair.

Suggested –

Root CA – Once every 9

Years and 10 months.

 

For example, generally a Root CA certificate is valid for 20 years. So, it should be renewed once every 9 years and 10 months. This is because Root CA issues 10 years long certificates to its issuing CA and when the Issuing CA certificate will be renewed, Root CA should be able to renew it for another 10 years.

 

SubCA – Every 2 year and 3 months.

**It actually depends on the validity of CA certificate which may vary system-to-system.

 

Root CA – 1 hour

 

SubCA – 1 hour

 

(May vary with organization)

Uninstall a CA By uninstalling a CA we remove the ADCS roles and features from the CA Server. Make sure to take the backup of the CA before uninstalling it. So that when we want to add a new CA into our PKI system we can easily restore from the backup. As Applicable 1 hour

(May vary with organization)

Add a New CA Adding a new CA to your existing PKI system is required for high availability and load balancing on CA as well as to assign different roles intended for that particular CA. As Needed 1 hour

 

(May vary with organization)

Add a new Certificate Template When we have to implement some particular roles to the CA for signing and issuing the certificate we assign and add a template for the certificate.

For example, Workstation Authentication is a template which the CA uses to issue certificates to new users or machines connecting to the network so as to authenticate them.

As Applicable ½  hour

 

(May vary with organization)

PKI Health Check After the PKI services are configured, expanded, updated and maintained it’s a best practice to check for PKI Health so that to be assured that PKI Operations on our system are well performed. Recommended – After every PKI Operations.

 

 

½ hour.

(May vary with organization)

 

Recommendation– (may vary from organization to organization)

Architerural PKI Operations – They can be performed as needed or as applicable to the existing PKI requirements.

Maintanence PKI Operations – It is best practice to perform the maintainnece task in a timely manner to receive a un-interrupted CA Services.

Testing PKI Operations – It should be performed in order to make our PKI services more informed and reliable one.

We recommended that every organization should maintain a PKI Operation Guide for detailed and step-by-step PKI operations to get an un-interrupted PKI Services. For more details on PKI Operation Guide, please contact us.

Leave a Reply