PKI Deployment – 5 Common Mistakes and How to Avoid Them

Public Key Infrastructure (PKI) is the backbone of most organizations’ encryption implementations. PKI provides a well-defined, secure system for authenticating and encrypting critical information. PKI uses digital certificates to protect sensitive data, secure end-to-end communications, and provide a unique digital identity for the users, devices, and applications across your business.

With continuous technological advancements, PKI has gained capabilities to cover a broader range of use cases, including securing devices, cloud platforms, containers, and IoT ecosystems. A recent report by DigiCert indicates that 91% of global organizations now rely on PKI to secure emerging digital infrastructures. When used properly, PKI can handle a wide range of responsibilities for your organization, everything from authentication to encryption to ensuring file and email integrity.

However, too many organizations often fall prey to common PKI deployment mistakes, making their PKI infrastructure more difficult to manage and less secure than they realize. PKI is complex, but when deployed correctly, it can protect critical data, secure communications, and authenticate users, devices, and applications.

Unfortunately, even the most well-intentioned PKI deployments can fall short due to common mistakes. In fact, a 2023 report by Ponemon Institute highlighted that 67% of organizations experienced at least one certificate related outage in the last two years. A recent study indicate that 75% of organizations struggle with managing PKI, often due to deployment mistakes that expose their infrastructure to unnecessary risk. 

Let’s examine the top five most common PKI deployment mistakes and how to avoid them. 

Common PKI deployment mistakes and challenges

Keeping an organization’s ecosystem secure is essential for consumer trust, regulatory compliance, and corporate risk reduction. Using a PKI can present excellent value for money in terms of outlay versus protection and can be one of the most strategic weapons in a company’s arsenal against malicious actors seeking to steal information or compromise IoT devices. However, PKI deployment mistakes mean that many organizations end up spending more on a system that fails to adequately secure sensitive resources.

Let us break down the top five most common mistakes and challenges of PKI deployment:

1. Not allocating skilled internal resources  

The most prevalent mistake made when deploying PKI is underestimating the resources needed. Running an in-house PKI needs a load of effort, time, and money. The shortage of skilled cybersecurity professionals is a significant barrier. A study from Keyfactor revealed that only 38% of organizations have sufficient staff dedicated to their PKI deployment. About 45% of unplanned PKI failures result from staff lacking the necessary training to manage certificate lifecycles and incident reporting. Such a scarcity of expertise often leaves PKI in the hands of inexperienced personnel, additionally increasing the risk of outages and security breaches. 

It is required to have a dedicated team with skilled resources to run the show. The PKI team should have sufficient resources and skilled owners who can lead and respond effectively to an outage or security incident. 

2. Lack of planning and tracking

Structured and well considered planning is one of the best practices of PKI deployment. A proper planning will not only help an organization keep track of their certificates, but it will also decrease the security risks to the PKI.  Once the system has been in place for a while, and if it has not been built in a structured manner, your organization can easily lose track of what certificates have been issued. Many organizations do not pay attention or do not know about the number of certificates they have, their expiry dates, where to find them etc.

The consequences of such mismanagement range from failed audits to certificate and key misuse that can ultimately compromise an organization’s systems. A 2022 Venafi study found that 83% of companies had suffered certificate-related outages due to poor certificate visibility and planning, while 26% of those organizations had severe business impacts.  

One high-profile example of this is what happened when attackers pushed a malicious version of ASUS Live Update using ASUS security certificates to install backdoors on over a million PCs.

3. Security of the Root CA

It is particularly important that the security of the Root CA is well-considered. In PKI deployments all trust comes from the Certificate Authority (CA). The CA issues the Root Certificate which ensures the validity of the cryptographic keys used to verify the authentic identities.

The root CA is the foundation of trust for every certificate issued across the organization’s environment. If you cannot trust your root CA, you cannot trust your PKI. As per security guidelines specifying who can obtain the certificate and when the certificate will be revoked is crucial for establishing and maintaining trust in CAs and avoiding PKI deployment mistakes. A regular audit of relevant CA is required to ensure that the certificate practice statements (CPS) are implemented correctly, and to avoid any risk to their network. 

As Ted Shorter, the CTO of Certified Security Solutions puts it: 

“PKI enjoys a well-defined structure for policy and practices definition, in the form of Certificate Policy (CP) and Certification Practices Statements (CPS). These are excellent frameworks for defining the requirements governing a PKI, and how an implementation would meet those requirements. Creating these documents can be a daunting task. However, it’s important to note that simply copying someone else’s set of CP/CPS documents verbatim will not suffice; these tools only have value if they truly represent your organization’s PKI requirements and operational processes.” 

4. Bad Certificate Lifecycle Management

Another PKI deployment mistake is lack of forward planning for the management of the entire certificate lifecycle. Poor handling of expired certificates may cause outages and significate expenses. Automating renewal of certificates may help in this case. If the organization is making a manual effort, then monitoring the expiry of certificates is a must.

Figuring out what is best for your organization and its PKI is a calculation you’ll need to work through, by coming up with an entire plan, an issuance process that covers not just the initial roll out but the entire certificate lifecycle. It is also a good idea to figure out how you’re going to handle revocations, key archival, key recovery, and all other contingencies. 

5. Not storing certificates and keys Securely  

Hackers can use a variety of techniques to analyze and detect keys while they are in use or transit. Ensuring the keys are stored securely under FIPS 140-2 level 3 systems is a must. 

Bruce Schneier, a universally respected American cryptographer, and security researcher, writes about key security with so much severity that you cannot help but feel a little guilty at everything you are not doing: 

“One of the biggest risks in any CA-based system is with your own private signing key. How do you protect it? You almost certainly don’t own a secure computing system with physical access controls, TEMPEST shielding, “air wall” network security, and other protections; you store your private key on a conventional computer.

There, it’s subject to attack by viruses and other malicious programs. Even if your private key is safe on your computer, is your computer in a locked room, with video surveillance, so that you know no one but you ever use it? If it’s protected by a password, how hard is it to guess that password? If your key is stored on a smartcard, how attack-resistant is the card? [Most are very weak.] If it is stored in a truly attack-resistant device, can an infected driving computer get the trustworthy device to sign something you didn’t intend to sign?” 

If you are saving key-strings in a spreadsheet, on a thumb drive, on a normal hard drive, or even somewhere online that is remotely accessible, you are making a mistake. Honestly, you probably should be using an HSM. 

How to Avoid Your PKI Problems with Industry Best Practices

1. Proper Planning & Documentation 

We emphasize that a detailed, well thought out plan for PKI deployment hugely minimizes risks and maximizes the long-term success of the organization’s security posture. Research shows that 80% of IT leaders believe that inadequate planning is the primary cause of PKI implementation challenges. In our experience, PKI requires tailoring to the specific security needs, scale, and complexity of each organization. 

Gartner says, “Security leaders that successfully reposition X.509 certificate management to a compelling business story, such as digital business and trust enablement, will increase program success by 60%, up from less than 10% today.” 

We strongly recommend starting with the development of clear policies and guidelines for certificate issuance and lifecycle management, which can help prevent security gaps. There should always be proper documentation for certificate lifecycle workflows, covering issuance, renewal, revocation, and replacement of certificates. Organizations should clearly understand where each certificate is deployed, track expiry dates, and have processes in place to handle renewals and revocations.

2. Hire Skilled Resources 

PKI is a complex infrastructure that demands specialized skills and attention. According to the Ponemon Institute, 73% of organizations have experienced unplanned downtime or outages due to mismanagement of digital certificates. We always advise our clients to invest in building a team of experts, including cryptographers, system administrators, and security engineers.

If in-house expertise isn’t feasible, we often recommend outsourcing PKI to a trusted managed PKI service provider. Outsourcing offers scalable, secure, and reliable solutions that eliminate the risk of mismanagement. So, while organizations focus on core business functions, a PKI service provider like us at Encryption Consulting ensures their PKI is always up and running. 

3. Conduct Regular Audits 

Regular audits are essential to ensure ongoing compliance with security policies and industry regulations. Such an audit often uncovers hidden vulnerabilities, outdated certificate practices, or misconfigurations that may go unnoticed but could pose serious risks to security.  Here, we focus on key areas, including: 

• Certificate Practice Statements (CPS): Ensuring proper implementation and compliance with established practices. 
• Certificate Revocation Lists (CRL): Verifying timely revocation and removal of expired certificates. 
• Policy Adherence: Ensuring the organization follows its established certificate policies. 

The DigiNotar breach is a clear example of how failing to regularly audit CA can have catastrophic consequences. We use cases like this to remind our clients of the importance of continual monitoring and auditing of their PKI systems.

4. Implement Automated Certificate Management Solutions 

In our consulting work, we frequently encounter organizations struggling with manual certificate management. A study reveals 55% of organizations lack the automation needed for effective certificate lifecycle management. 

Automation is key to avoiding human error and maintaining security resilience. We encourage our clients the use of automated certificate management platforms like CertSecure Manager, which simplify issuance, monitoring, and renewal processes. With automation, you can mitigate the risk of certificates expiring unexpectedly, reducing business disruptions. 

5. Encrypt and Protect Sensitive Data with HSMs

For any PKI, securing cryptographic keys is non-negotiable. Improper key storage poses a serious security threat. We advise our clients to deploy Hardware Security Modules (HSMs) for the generation, storage, and management of sensitive keys. 

Our recommendations are to use FIPS 140-2 Level 3 compliant HSMs to protect root keys and other sensitive cryptographic assets. NIST has found that deploying HSMs can reduce key exposure risks by 90%, offering peace of mind that your cryptographic keys are safe from theft or tampering. 

We’ve helped several organizations, implement HSM solutions to safeguard their internal CAs. These organizations have experienced a significant reduction in compromised key incidents as a result. 

Conclusion

A successful PKI deployment is non-negotiable for securing your digital infrastructure. With the right expertise and strategy, your organization can achieve uncompromised trust, security, and resilience, standing firm against modern day cyber threats. Encryption Consulting’s PKI Services and PKI-as-a-service can help you manage your PKI and secure the digital network of your organization.

We can design, implement, manage, and migrate your PKI systems according to your specific needs. Managing PKI can seem daunting with the increase in the number of cyber threats. But you can rest assured because our experienced staff will help you build and monitor your PKI. We can assess your PKI based on our custom framework, providing you with best practices for PKI and HSM deployments.