PKI as a Service


"4.1 billion: Number of data records compromised during just the first six months of 2019."

(2019 State of Security Operations – MicroFocus)

Encryption Consulting's PKI As A Service

An efficient and secure way to manage access using trusted credentials. Get your own dedicated Microsoft PKI delivered as PKI As A Service, hosted in Azure.

Key Points

  • Encryption Consulting’s PKI As A Service offers you a customizable, high-assurance Microsoft PKI designed and built to the highest standards
  • It’s a low risk solution that gives you full control of your PKI without having to worry about the complexity.

An Enterprise PKI in the cloud

Many organizations are moving core components of their infrastructure to the cloud to enable cost savings and provide scalability. When running a PKI, the challenge is to both secure the root as an offline resource and to separately manage the Root CA and issuing sub-CAs which need to be accessible online for certificate requests and issuances. Encryption Consulting has the expertise and secure environment necessary to hold the Root Private Key offline and to manage the signing of keys used for online RAs and issuing sub-CAs.

Customers will have a two-tier PKI CA hierarchy.  All CAs within this CA hierarchy will only issue CA and end-entity certificates for internal usage.  Customer PKI CA hierarchy consists of a single PKI Root CA and two or more PKI Issuing CAs as per their requirement.

Deployed to industry best practice, with supporting policy and procedures tailored to your own organization’s compliance requirements, the Encryption Consulting Managed PKI  Service will provide you with a robust infrastructure to provide a solid foundation for your corporate PKI requirements.

Encryption Consulting's PKI As A Service

Encryption Consulting will deploy and support your PKI using a fully developed and tested set of procedures and audited processes. Admin rights to your Active Directory will not be required and control over your PKI and its associated business processes will always remain with you. Furthermore, for security reasons the CA keys will be held in FIPS140-2 Level 3 HSMs hosted either in in your secure datacenter or in our Encryption Consulting datacenter in Dallas, Texas.

Hosted Root CA

The trust anchor of a PKI is a high-assurance Root CA. If you choose to use our Root Service, your Root will be hosted securely in our SOC2-certified datacenter in Dallas, Texas. If required, we can support customers participation in the Root CA build,and will undertake a Key Signing Ceremony (KSC) with you for this purpose. This is the event where the protected key material for the CA is created and implemented according to your policy.

As this is your PKI, you are the only one who has access to the Root CA private keys; these are protected by a quorum of HSM control keys of which you hold the majority share. This means that no one can initialize the Root to create additional Sub-CAs or revoke Sub-CAs without your presence. After the KSC, Encryption Consulting will facilitate Root CRL signings as often as required. Signings will be undertaken under the accreditation and compliance requirements for the specific Root CA, according to its policy.

Additional Services

Encryption Consulting can also offer further services related to the Root CA such as:

  • Sub CA signings
  • Root CA and sub CA certificate lifecycle management advice (e.g. hashing algorithms / cryptographic algorithms)
  • Policy / certificate profile advice
  • Root maintenance
    • Root migration / rollover

Benefits of a PKI As A Service

  • Bespoke design fits your business requirements
  • Provides best practice PKI management processes for your business
  • No need for staff skilled in PKI/HSM/Key management
  • Securely integrated into AD in a Microsoft supported model
  • Securely integrated into AD in a Microsoft supported model
  • Provides cost savings over in-house PKI deployments
  • Quick and simplified deployment using tested templates and dedicated policy
  • Efficient control of lifecycle of certificates to manage risks
  • Apply digital signatures to your contracts, documents, web forms, emails
  • Remote monitoring and trouble-shooting of PKI resources running in Azure
  • Reduces risk by maintaining PKI security thought scheme assurance processes

Key Features and Technical Specifications

  • Customer specific Certificate Policy and Certification Practice Statement
  • Bespoke design and controls, specific to customer requirements
  • Certificates for devices, computers, domain controller, Wi-Fi, SSL, TLS, users
  • Full support for Microsoft device auto-enrolment and Microsoft Express Route
  • Cryptographic keys stored/managed outside of Azure in ultra-secure facility
  • Only you can access the HSM stored Private Keys
  • Secure integration between on-premise and Azure servers, using protected VPN
  • Azure provides high SLAs in line with your own corporate requirements

Case Study

Encryption Consulting assisted a Retail institution to implement a new PKI Infrastructure.

"Encryption Consulting is exceptional in helping to manage our PKI and also helped us follow the best industry PKI practice"

Senior PKI Engineer, Insurance Company


PKI as a Service

Validating and trusting an identity is one of the most important aspects of Cyber Security.


Global PKI and IoT Trends Study

According to the findings, the rapid growth in the use of IoT devices is having an impact on the use of PKI technologies

Download Report
Know more