Encryption Consulting’s PKI-as-a-Service

It’s a low risk managed solution that gives you full control of your PKI without having to worry about the complexity.

Through this you can efficiently and securely manage access using trusted credentials. Get your own dedicated PKI solution delivered as PKI-as-a-Service, hosted in cloud (AWS, Azure PKI, Google Cloud Certificate Authority manager).

PKI Infrastructure for Traditional PKI (On-Prem) and PKI on the Cloud

Key Points

Encryption Consulting provides PKI Services for existing PKI infrastructure and helps to design and deploy a new PKI Infrastructure for Traditional PKI (On-Prem) as well as, PKI on the Cloud such as,

  • AWS Certificate Manager/AWS Certificate manager Private CA (ACM PCA)
  • Azure PKI
  • Google Cloud Certificate Authority manager

It is a low-risk solution that gives you full control of your PKI without worrying about the complexity of the solution.

Encryption Consulting’s PKI-as-a-Service are suitable for

Customers who may already have an existing PKI.

Customers planning for a new PKI Infrastructure (Designing and deploying).

An Enterprise PKI in the cloud

Many organizations are moving core components of their infrastructure to the cloud to enable cost savings and provide scalability.

When running a PKI, the challenge is to secure the root as an offline resource and to separately manage the Root CA and issuing sub-CAs which need to be accessible online for certificate requests and issuance.

Encryption Consulting has the expertise and secure environment necessary to hold the Root Private Key offline and to manage the signing of keys used for online RAs and issuing sub-CAs.

Enterprise PKI in the cloud
PKI Issuing CAs

Encryption Consulting manages PKI on-premises, as well as in the cloud. Customers will have a PKI CA hierarchy (two-tier or three-tier) as per their business needs. All CAs within this CA hierarchy will only issue certificates to the below level CAs and end-entity certificates for internal usage. The two-tier PKI CA hierarchy consists of a single PKI Root CA and two or more PKI Issuing CAs as per their business requirement.

Deployed to industry best practice, with supporting policy and procedures tailored to your own organization’s compliance requirements, the Encryption Consulting Managed PKI Service will provide you with a robust infrastructure to provide a solid foundation for your corporate PKI requirements.

Encryption Consulting’s Managed PKI

Encryption Consulting LLC (EC) will completely offload the Public Key Infrastructure environment, which means EC will take care of building the PKI infrastructure to lead and manage the PKI environment (on-premises, PKI in the cloud, cloud-based hybrid PKI infrastructure) of your organization.

Encryption Consulting will deploy and support your PKI using a fully developed and tested set of procedures and audited processes. Admin rights to your Active Directory will not be required and control over your PKI and its associated business processes will always remain with you. Furthermore, for security reasons the CA keys will be held in FIPS140-2 Level 3 HSMs hosted either in in your secure datacenter or in our Encryption Consulting datacenter in Dallas, Texas.

Encryption Consulting’s services related to PKI-as-a-Service


  • Advanced security expertise will be assigned for the service
  • Consistent and Flexible to meet your organization’s demands
  • In-House Organization Still maintains complete oversight
  • Not Dependent on company turnover

Reduces Cost & Complexity

  • Quicker Deployment
  • Less in-house issues
  • Reduces spending for in-house technologies
  • Periodic PKI Assessments & Trainings

Scalability and Flexibility

  • Provide observations and recommendations regarding current and future initiatives to help achieve desired future state capabilities.

Hosted Root CA

The trust anchor of a PKI is a high-assurance Root CA. If you choose to use our Root Service, your Root will be hosted securely in our SOC2-certified datacenter in Dallas, Texas. If required, we can support customers participation in the Root CA build and will undertake a Key Signing Ceremony (KSC) with you for this purpose. This is the event where the protected key material for the CA is created and implemented according to organization’s policy.

As this is your PKI, you are the only one who has access to the Root CA private keys; these are protected by a quorum of HSM control keys of which you hold the majority share. This means that no one can initialize the Root to create additional Sub-CAs or revoke Sub-CAs without your permission. After the KSC, Encryption Consulting will facilitate Root CRL signings as often as required. Signings will be undertaken under the accreditation and compliance requirements for the specific Root CA, according to its policy.

Cloud-based PKI options

Encryption consulting helps building and managing PKI infrastructure as per the customers business requirement. Here we are showing few of the cloud-based PKI architecture which we have already leveraged and implemented for our clients.

  • In this approach the Root CA is on-prem and kept offline.
  • Two issuing CAs are deployed – CA1 (on-prem) and CA2 (on the cloud).
  • CA2 will focus on issuance and availability outside of the premises.
  • Whereas the on-prem issuing CA or CA1 will have security focus on non-cloud resources for example: workstation authentication, domain certificate etc.
  • This model can also be used as HA (high availability) concept – If one issuing CA is unavailable then the other one can take over (optional).
Two Tier PKI model
  • Root CA – on prem, kept offline and it is using HSM for its signing key.
  • Policy CA – on prem, kept offline and it is using HSM for its signing key.
  • Incorporating the approach explained in option 3.
  • One issuing CA is in the cloud (CA2) and another issuing CA is on-prem (CA1) and both issuing CAs using HSMs.
  • With this model we can allow the CA to be placed in the cloud and also be assured with the FIPS- level 3 certified HSM being secured on the cloud.
3-tier Hybrid PKI cloud based model

Encryption Consulting can also offer further services related to the Root CA such as:

  • Sub CA signings
  • Root CA and sub CA certificate lifecycle management advice (e.g. hashing algorithms / cryptographic algorithms)
  • Policy / certificate profile advice
  • Root maintenance
    • Root migration / rollover
certificate lifecycle management advice

Benefits of a PKI-as-a-Service

  • Bespoke design fits your business requirements
  • Provides best practice PKI management processes for your business
  • No need for staff skilled in PKI/HSM/Key management
  • Securely integrated into AD in a Microsoft supported model
  • Provides cost savings over in-house PKI deployments
  • Quick and simplified deployment using tested templates and dedicated policy
  • Efficient control of lifecycle of certificates to manage risks
  • Apply digital signatures to your contracts, documents, web forms, emails
  • Remote monitoring and troubleshooting of PKI resources running in the cloud (Azure, AWS, Google cloud platform)
PKI/HSM/Key management
Certificates for devices computer

Key Features and Technical Specifications

  • Customer specific Certificate Policy and Certification Practice Statement
  • Bespoke design and controls, specific to customer requirements
  • Certificates for devices, computers, domain controller, Wi-Fi, SSL, TLS, users
  • Full support for Microsoft device auto-enrolment and Microsoft Express Route
  • Cryptographic keys stored/managed outside of Azure in ultra-secure facility
  • Only you can access the HSM stored Private Keys
  • Secure integration between on-premises and cloud (Azure, AWS, Google cloud platform) servers, using protected VPN or other feasible and secure options.
  • Cloud provides high SLAs in line with your own corporate requirements

See how our services helped a Healthcare and Life Science Company better implement encryption into their infrastructure.


At what stage of PKI, can I get PKI-as-a-Service?

The product is suitable for customers who already have an existing PKI infrastructure or are planning for a new PKI infrastructure.

What additional services are provided with PKI-as-a-Service?

Additional services provided with PKI-as-a-Service are Root CA and Sub CA certificate lifecycle management advice, Policy or certificate profile advice, Root maintenance, and Root migration/rollover.

How does PKI-as-a-Service reduce cost and complexity?

PKI-as-a-Service offers quicker deployment, fewer in-house issues, reduces spending for in-house technologies, and periodic PKI assessments & training to ease the cost and complexity of managing PKI infrastructure in your organization.

Will my PKI solutions stay compliant with industry standards and regulations?

Our PKI solutions would fulfill all the compliance requirements, including FIPS and GDPR.

How will the privacy of my data be ensured?

We use our years of expertise and leverage the secure environments necessary to hold the Root Private Key offline and manage the signing of keys used for online RAs and issuing sub-CAs. All customers are provided with a PKI CA hierarchy (two-tier or three-tier) as per their business needs.

What level of scalability does PKI-as-a-Service offer?

We offer easy scalability with high PKIaaS. We ensure trusted users’ availability and geographic redundancy on the network to access any data.

What level of support is offered for PKI-as-a-Service?

An advanced PKI expertise will be assigned to your organization, 24*7*365 support service, and consistency and flexibility to meet your organization’s demands.

Can PKI-as-a-Service be integrated with our existing systems?

PKI-as-a-Service can be integrated with key enterprise applications like AD, auto-enroll, SIEM tool, and more.

Can the service be customized to meet my specific business requirements?

The PKI is formatted to your specifications to ensure it fulfills all your business requirements.

Can PKI-as-a-Service be used in a hybrid cloud environment?

PKI-as-a-Service can be used both on-prem as well as on the cloud.

Can customers leverage Encryption Consulting’s PKI environment for their PKIaaS offering?

Yes, Encryption Consulting offers its PKI environment to customers who need their own PKI infrastructure. It allows our customers to benefit from our PKI-as-a-Service (PKIaaS) and use it to meet their cryptographic needs.

Who is Encryption Consulting?

A trusted name in the cyber security industry that offers customer-focused solutions and services with expertise in encryption technologies and data protection solutions.

Suggested Resources


ADCS Two Tier PKI Hierarchy Deployment

Introduction and overview of the Test Lab


Encryption Consulting PKI & IoT Trends Survey

A study on global usage trends on Public Key Infrastructure (PKI) and Internet of Things (IoT) along with their application possibilities.


PKI Training

PKI course is recommended for anyone using or managing certificates, designing or deploying a PKI enterprise solution, or evaluating & selecting a commercial PKI Technology Solution

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo