Skip to content

  1. Blogs
    2. Case Study

PKI Implementation for a Fortune 100 Organization

Posted byAditi Goel 08 Minutes
pki-implementation
Table Of Contents

Company Overview

We recently wrapped up one of the most comprehensive and technically intensive Public Key Infrastructure (PKI) implementations for a global Fortune 100 hardware IoT enterprise. This organization, with over 25 years of industry leadership, stands as a pioneer in hardware innovation, manufacturing, and secure device management. Their product portfolio spans a wide range of cutting-edge technologies, including ocSSD (on-chip Solid-State Drives), high-performance RAM modules, CoRIM (Concise Reference Integrity Manifest) solutions, and SBOM (Software Bill of Materials) integration for advanced product traceability and compliance.

Over the years, they have become a true trusted name in the hardware space, known for their reliability, innovation, and quality. And as you can imagine, with such a strong reputation comes the need for a powerful, secure, and future-ready PKI setup.

The company reached out to us looking for a custom-built, on-premises PKI implementation that wasn’t just off the shelf but carefully designed to meet their unique technical requirements and support their short-term and long-term goals.

Requirements

  1. Never-Expiring Certificates:
    The organization required device certificates with no expiration, as they would be permanently embedded into hardware components. The certificates were designed with a validity period extending to 12/31/9999 to match the devices’ long operational lifespans. To ensure compliance, we aligned the implementation with OCP, DICE X.509, and IEEE 802.1AR standards for manufactured devices with indefinite lifespans.
  2. Post-Quantum Readiness:
    With the NIST Post-Quantum Cryptography (PQC) transition expected around 2030, the organization required their PKI infrastructure to be future-proof. From the very beginning, they wanted a system that could support post-quantum algorithms, ensuring long-term cryptographic resilience. Since PQC is still an emerging area, they also wanted to stay vendor-neutral, keeping the flexibility to adopt new standards and algorithms as they evolve.
  3. Disaster Recovery and Resilience:
    Considering the critical nature of device certificates, the PKI was designed with built-in disaster recovery capabilities from day one. The architecture included both hot and cold standby environments to ensure continuity, resilience, and minimal downtime in case of system failures.
  4. Certificate Issuance Policies:
    The organization had very specific and unique requirements around how certificates could be issued and managed. These included:
    • Limiting the number of certificates that any single operator could sign.
    • Enforcing path length constraints so that Certificate Authorities (CAs) couldn’t sign other CAs, preventing any chance of cross-certification.
    • Using custom SAN (Subject Alternative Name) formats and controlling variable field data.
    • Defining certificate profiles that strictly mentions what kinds of certificates could be issued for different device types or use case.
    • Certificate Policies to be documented and legally reviewed in Certificate Policy and Certificate Practice Statement document.
  5. Private Key Security with HSM Integration:
    Recognizing the importance of private key security, the organization mandated Hardware Security Module (HSM) integration at every level of the PKI. All root and subordinate CAs, as well as signing keys, were needed to be secured within HSMs. The HSMs to be FIPS 140-3 compliance. The organization required a HSM architecture that supported shared, high-availability configurations without deploying a separate HSM for each CA or key.
  6. Scalability Requirements:
    Scalability was a big deal for the organization. Since certificates would be embedded during the device manufacturing process, the PKI system had to handle high throughput, supporting at least 70+ devices per minute at peak production times. Over the course of a year, the system would need to handle around 50,000 devices while maintaining performance and reliability.
  7. Aggressive Timeline:
    One of the biggest challenges was time. The organization wanted the initial PKI setup and production readiness to be completed by the end of Q3, even though the project was starting only in early Q2. With limited time for development, testing, and validation, the schedule was extremely tight, making careful planning and prioritization absolutely essential.

Solution

Before diving in with the PKI implementation, we spent time getting to know their ecosystem, how their manufacturing processes worked, what their scalability goals looked like, and how security fit into every stage of their product lifecycle. From there, we started shaping a PKI that could grow with their business, support millions of device authentications, and protect every identity across their product range.

Our engagement began with a deep architectural assessment of their existing infrastructure, production workflows, and long-term scalability goals. Through collaborative workshops with the client’s key stakeholders interactions, we developed a comprehensive PKI design that enhances device authentication for all certificates, supports large-scale certificate issuance during high-volume production cycles, and enables post-quantum readiness for future cryptographic resilience.

  1. To meet the need for certificates that last a lifetime, we designed a custom PKI architecture that supports non-expiring device certificates with validity through 12/31/9999. We ensured the design still adhered to all relevant industry standards, including OCP, DICE, and IEEE 802.1AR, by creating specialized certificate templates and validation workflows. This allowed the organization to embed certificates into their hardware devices confidently, knowing they would remain valid for the entire device lifecycle.
  2. To support both modern and legacy systems, we issued certificates using a hybrid cryptographic approach, combining ML-DSA 87, a quantum safe digital signature algorithm, with the classic RSA algorithm. This dual setup ensures that devices using legacy infrastructure continue to function seamlessly, while newer hardware gains the benefits of post-quantum security. By implementing both algorithms side by side, the organization can maintain backward compatibility today and future-proof their ecosystem for the next generation of cryptographic standards.
  3. We implemented a redundant PKI setup with both hot and cold disaster recovery sites to ensure continuous availability. Automated backups, replication, and failover mechanisms were put in place, so even if one site goes down, the PKI service remains uninterrupted. This setup gives the organization confidence that their device authentication process will continue running smoothly under any circumstances.
  4. For governance requirements, we created granular issuance policies directly within the PKI. These included, enforcing operator-level controls to limit the number of certificates each operator can issue, setting path length constraints to none to prevent cross-certification, and defining custom SAN formats and certificate profiles that control what can be issued, and under what conditions. These measures brought a new level of precision and control to their certificate management process.
  5. We provided a vendor-neutral HSM solution that integrates seamlessly with the organization’s PKI environment, ensuring flexibility and long-term compatibility. Each HSM deployed is FIPS 140-3 certified and configured for high availability, so there are no single points of failure anywhere in the system. To strengthen key security, we implemented a quorum-based access control model, meaning that no single individual can access or operate the private keys independently. The configuration follows key custodian policy, requiring at least three authorized custodians to be present for any sensitive cryptographic operation. This ensures separation of duties and compliance with industry best practices.
  6. To support the organization’s demanding manufacturing throughput, we optimized the PKI for high-speed certificate issuance. The system can now issue and embed certificates for 70+ devices per minute while maintaining low latency and complete reliability. Built-in scalability ensures it can easily handle tens of thousands of devices per year, with room to expand as production grows.
  7. Even with an aggressive timeline, we managed to deliver the entire PKI setup, testing, and production deployment by the end of Q3. Our approach involved parallel workstreams, close collaboration with the client’s key stakeholders, and constant testing at every stage to stay on track. The project went live on time, fully validated, documented, and ready for production use.

The result was a secure, scalable, and future-ready PKI architecture purpose-built to integrate seamlessly with the client’s hardware manufacturing processes, enabling trusted device identity, secure provisioning, and cryptographic assurance at every stage of production and operation.

Enterprise PKI Services

Get complete end-to-end consultation support for all your PKI requirements!

Learn More

Impact

The new PKI implementation brought a transformative impact across the organization’s hardware manufacturing and security ecosystem. What started as a technical upgrade evolved into a strategic enabler that now powers secure device identity, authentication, and trust across millions of devices worldwide.

The scalability allows the company to expand manufacturing capacity without re-architecting their security infrastructure, saving both time and resources.

By implementing a fully in-house PKI, the organization has gained complete control and ownership over its certificate lifecycle, from creation and issuance to management and revocation. This move effectively eliminated reliance on external Certificate Authorities (CAs) and third-party services, reducing both operational risk and long-term costs.

With everything managed internally, the company can now issue certificates instantly, enforce custom security policies, and make configuration changes without waiting for responses from external vendors. This also enhances compliance with regulatory compliance and industry best practices, such as FIPS 140-3, as all cryptographic operations and private keys remain securely within the organization’s infrastructure.

With the new PKI framework, every device now carries a unique, verifiable digital identity, ensuring authenticity from production to deployment. This eliminates the risks of unauthorized devices entering the network and strengthening overall supply chain security. The organization can now trace, validate, and authenticate each device.

Conclusion

We successfully led the PKI implementation for this renowned hardware IoT enterprise, delivering a strong, future-ready infrastructure customized to their unique requirements. This milestone addressed critical challenges including never-expiring certificates, post-quantum readiness, HSM-based key security, strict issuance policies, and high-volume scalability. The result is a secure, resilient PKI that protects millions of devices, ensures compliance, and supports the organization’s long-term innovation and operational continuity, highlighting our expertise in delivering best-in-class, enterprise-grade security solutions.

Explore

More Topics