2024-11-12
In this KEYMASTER episode, Sven and Jörgen dive into the architecture of modern Public Key Infrastructures (PKIs), focusing on the importance of separating key components like Certificate Authorities (CAs), Registration Authorities (RAs), and Validation Authorities (VAs). This segmentation is critical for maintaining "defense in depth," which helps reduce the blast radius if any part of the infrastructure gets compromised.
Watch the KEYMASTER episode here:
Sven and Jörgen emphasize the value of separating roles for better security and flexibility, especially when scaling PKI across hybrid clouds or multi-data centers. Whether you're running a PKI on-premises, in the cloud, or in a hybrid model, ensuring that these components can be modular gives you the adaptability to evolve as needs change. Containers, auto-scaling with Kubernetes, and ensuring PKI availability across regions are also key topics discussed. The episode concludes with practical advice: keeping PKI functions separated and flexible will help future-proof deployments, ensuring better policy enforcement and smoother scaling.
Stay tuned for the next episode!
For organizations deploying PKI in hybrid environments, a common approach using EJBCA is to keep the most sensitive Certificate Authorities (CAs) on-premises, while leveraging the scalability and distributed services of the public cloud for the Validation and Registration Authorities (VAs and RAs). This setup provides enhanced security by isolating critical components while taking advantage of the cloud’s flexibility. See the image below for a visual representation.
VA validates certificates via CRL or OCSP requests, OSCP is typically where we see the most request from clients in the PKI setup. The VA function of the PKI is crucial, if certificates cannot be validated, most of authentications in the organisation using PKI will stop working. This is why we emphasise the need for scalability and load-balancing of VA nodes.
A more advanced and versatile solution involves implementing load balancing across multiple active sites using EJBCA. This approach not only improves redundancy by distributing the load across various locations but also enhances performance and availability. By ensuring that all sites remain operational, this method offers multiple layers of failover and increased reliability.
Read more on docs.keyfactor.com: