PKI Solutions for Enterprises

PKI (Public Key Infrastructure) solutions provide the cryptographic foundation for secure digital identity in enterprise environments. At their core, they manage the lifecycle of digital certificates – the credentials that authenticate systems, users and devices, encrypt communications and sign code and documents. Every TLS connection, every encrypted email, every network access control decision and every signed software package relies on a PKI solution working reliably.

Most organisations notice their PKI only when something breaks. A TLS certificate expires on a production API, triggering a cascade of failed service calls. A code-signing certificate lapses, blocking software deployment. An S/MIME certificate is revoked, stopping encrypted email flows. These are not edge cases – they are predictable outcomes of unmanaged PKI. Gartner research consistently finds that certificate-related outages affect the majority of large enterprises annually, with remediation costs far exceeding the cost of proper lifecycle management.

Enterprise PKI solutions address this problem systematically: they inventory all certificates across the infrastructure, monitor expiry timelines, automate renewal workflows and provide the root of trust from which all certificates derive their validity. Done correctly, PKI becomes invisible – a reliable security layer that enables authentication and encryption without operational friction.

On-premise PKI gives organisations full control over their certificate authority infrastructure. Microsoft Active Directory Certificate Services (ADCS) is the dominant choice in Windows-centric environments, tightly integrated with Active Directory for device and user certificate issuance. EJBCA (Enterprise Java Beans Certificate Authority) is the leading open-source alternative, offering high-throughput issuance and broad protocol support. On-premise PKI is the right choice for organisations with strict data residency requirements, regulated environments (finance, healthcare, critical infrastructure) or high-volume issuance needs.

Cloud-hosted PKI shifts the CA infrastructure to a managed service. AWS Private CA, Azure Key Vault and commercial managed PKI providers offer API-driven certificate issuance without managing underlying infrastructure. These solutions suit cloud-native environments, DevOps automation pipelines and organisations seeking to reduce operational overhead. The trade-off: dependence on cloud provider availability and pricing, plus data sovereignty considerations that are particularly relevant under GDPR and NIS2.

Hybrid PKI combines both models: an on-premise Root CA (kept offline for maximum security) with cloud-integrated Issuing CAs or CLM tooling that automates issuance and renewal. This is the architecture Blackfort typically recommends for mid-sized enterprises – it preserves control over the trust anchor while enabling operational flexibility at the issuance layer.

A production-grade PKI solution consists of several interconnected components. The Certificate Authority hierarchy – Root CA and one or more Issuing CAs – is the cryptographic foundation. The Root CA must be taken offline when not in active use: its compromise would invalidate every certificate issued by any subordinate CA. Hardware Security Modules (HSMs) protect private keys in tamper-resistant hardware, preventing key extraction even by privileged administrators – a requirement in regulated environments and a best practice everywhere.

Certificate Revocation Infrastructure ensures compromised or superseded certificates can be immediately invalidated. This requires a Certificate Revocation List (CRL) distribution point or an OCSP (Online Certificate Status Protocol) responder that relying parties can query in real time. Revocation infrastructure that is unreachable or outdated is a common PKI weakness and a frequent finding in security assessments. Registration Authority (RA) workflows manage the approval process: who may request a certificate, what validation is required before issuance and who approves – particularly important for high-assurance certificates such as code signing or administrative client credentials.

Certificate policies and profiles define what each Issuing CA may issue: key lengths, valid algorithms, maximum validity periods, intended use (Key Usage / Extended Key Usage extensions), Subject fields and SAN constraints. Well-defined profiles prevent misconfigured certificates from being issued and are the technical enforcement of your cryptographic policy – a requirement under ISO 27001 Annex A.8.24.

Most PKI security failures are not sophisticated zero-days – they are accumulated misconfigurations and operational gaps that have never been reviewed. The most common findings in enterprise PKI security assessments: certificate templates in Active Directory Certificate Services (ADCS) with enrolment permissions that extend to all authenticated domain users; Root CA private keys stored in software rather than HSMs on networked machines; Certificate Revocation List (CRL) distribution points or OCSP responders that are unreachable or stale; deprecated cryptographic algorithms (RSA 1024, SHA-1, MD5) still active on in-use certificates; and wildcard certificates deployed so broadly that their compromise affects entire infrastructure segments simultaneously.

ADCS-specific vulnerabilities represent the most critical PKI security risk in Windows environments. The ESC1 through ESC13 attack paths – documented by SpecterOps researchers and now integrated into tools like Certipy and BloodHound Enterprise – demonstrate how misconfigured certificate templates allow low-privileged domain users to issue certificates for arbitrary accounts, including Domain Admins. ESC1, the most frequently encountered finding, exploits templates where the requester can specify a Subject Alternative Name (SAN) combined with overly broad enrolment permissions. The consequence: an attacker with any valid domain account can obtain a certificate for a privileged principal and authenticate persistently – bypassing password resets, MFA and account lockouts. In environments where Kerberos PKINIT or certificate-based authentication is active, a compromised PKI is equivalent to a compromised domain.

A Blackfort PKI security assessment covers the full attack surface. Template enumeration and review: every certificate template is analysed against enrolment ACLs, Key Usage, Extended Key Usage (EKU) settings and known ESC patterns. CA hierarchy audit: offline Root CA procedures, HSM deployment, CA certificate chain validity and CRL/OCSP reachability and freshness. Cryptographic policy review: algorithm selection, key lengths and maximum validity periods against current best practices and regulatory requirements (ISO 27001 A.8.24, NIS2 Art. 21). Certificate discovery: identification of shadow CAs, unknown issuers, expired certificates still in production use and weak-algorithm certificates. The output is a prioritised remediation plan distinguishing low-effort configuration changes from architectural improvements, with a concrete risk rating for each finding.

Certificate Lifecycle Management (CLM) is the operational discipline that makes PKI solutions sustainable over time. Without CLM, even a well-designed PKI devolves into manual spreadsheet tracking, reactive renewal and recurring outages. CLM platforms provide continuous discovery of all certificates across infrastructure and cloud environments, automated monitoring of expiry timelines, workflow-driven renewal processes and integration with ITSM platforms (ServiceNow, Jira) for approval and ticketing.

ACME (Automatic Certificate Management Environment) protocol integration is the current standard for automating public TLS certificate renewal. Let's Encrypt, ZeroSSL and commercial CAs with ACME support can renew certificates with zero human intervention – certificates are replaced automatically well before expiry, installed on the target system and verified. Blackfort integrates ACME into existing web server infrastructure (nginx, Apache, IIS, load balancers), Kubernetes environments and CI/CD pipelines.

The certificate discovery phase – inventorying all existing certificates before CLM is implemented – consistently surfaces unexpected findings: certificates issued by unauthorised shadow CAs, certificates with deprecated MD5 or SHA-1 signatures, forgotten test certificates deployed on production systems, wildcard certificates used far more broadly than intended. Addressing these findings alongside CLM implementation significantly reduces cryptographic risk before the lifecycle management programme even goes live.

Regulatory frameworks in Europe increasingly mandate explicit PKI governance. ISO 27001:2022 Annex A.8.24 (Use of Cryptography) requires a documented cryptographic policy covering key management, certificate lifecycles and algorithm selection. An undocumented PKI with manual renewal processes will not satisfy an ISO 27001 audit. NIS2 Article 21 requires appropriate cryptographic controls as part of minimum security measures for essential and important entities. DORA (Digital Operational Resilience Act) for financial entities requires crypto agility – the ability to replace algorithms and certificates quickly in response to new threats or vulnerabilities.

Crypto agility is an increasingly critical design goal for enterprise PKI solutions. As quantum computing capabilities advance, current RSA and ECC algorithms will eventually be vulnerable to harvest-now-decrypt-later attacks on long-lived data. Organisations building PKI solutions today should design for algorithm migration: complete inventory of all certificates and algorithms, CLM tooling that supports automated re-issuance with new algorithm parameters and tested processes for emergency bulk re-issuance.

Blackfort designs PKI solutions with regulatory requirements built in from day one, not retrofitted. This means producing the Certificate Policy (CP) and Certification Practice Statement (CPS) that auditors require, establishing the governance framework for CA operations and designing the technical architecture to support both current regulatory demands and anticipated future compliance requirements including post-quantum readiness.

PKI Assessment Service: The starting point for most public key infrastructure services engagements is a structured assessment of the current environment. A Blackfort PKI assessment delivers a complete inventory of all certificate authorities, templates and issued certificates; identification of security gaps against known attack patterns (ESC1–ESC13 for ADCS, key storage weaknesses, CRL/OCSP reachability gaps); a cryptographic policy review covering algorithm selection, key lengths and validity periods; and a prioritised remediation roadmap distinguishing quick wins from architectural improvements. The assessment runs two to four weeks and provides a precise risk picture before any infrastructure decisions are made.

PKI Design and Implementation Service: For organisations building a new PKI or migrating from a legacy system, our design and implementation service delivers end-to-end public key infrastructure. This covers CA hierarchy design (two-tier offline Root CA architecture), technology selection and deployment (Microsoft ADCS or EJBCA), HSM integration for key protection, certificate policy and template definition, CLM tooling configuration and ACME automation for TLS renewal. We produce the Certificate Policy (CP) and Certification Practice Statement (CPS) that audit-ready organisations need, alongside full operational runbooks. PKI migrations – from expired or misconfigured ADCS environments, from hardware appliance CAs or from unmanaged shadow PKI landscapes – are handled without service disruption through parallel operation and coordinated trust store transitions.

Ongoing PKI Services: After go-live, public key infrastructure requires continuous professional maintenance – CA certificate renewals, policy updates, algorithm migrations, incident response for certificate compromise and regular security reviews. Blackfort provides ongoing PKI services as a flexible retainer: scheduled CA operations support, CLM health monitoring, annual PKI security assessments and on-demand consultation for certificate-related incidents. For organisations without dedicated PKI expertise, this service model provides continuous access to specialists without the overhead of building an in-house team – with defined SLAs and escalation paths for time-critical situations.