Setting up a public key infrastructure (PKI)

If you are looking for knowledge and experience to set up your public key infrastructure

What is a Public Key Infrastructure?

To be a trust service provider and provide digital trust services, you will need access to a public key infrastructure (PKI). A PKI is a system used to manage and distribute digital certificates. It uses a public key and a private key to ensure the authenticity of digital documents and communications through cryptographic techniques. A PKI includes the hardware, software, policies, and procedures necessary to create, manage, distribute, use, store, and revoke digital certificates.

Step-by-step plan for setting up a PKI

Setting up a Public Key Infrastructure (PKI) involves several essential steps to ensure the infrastructure works safely, reliably and efficiently. Below, you will find the steps for setting up a PKI:

1. Needs Assessment and Planning

Analyze Requirements: Identify the organisation's security needs, such as authentication, encryption and digital signatures.
Determine Objectives: Establish clear objectives and scope for the PKI, including the intended users and digital trust services.
Budgeting: Calculate the hardware, software, implementation and maintenance costs.

2. Designing the PKI Architecture

CA Hierarchy: Determine the structure of the Certificate Authority (CA), such as root CA, subordinate CAs, and any registration authorities (RA).
Key Management: Define processes for generating, storing, and managing cryptographic keys, including using Hardware Security Modules (HSMs).
Policies: Develop Certificate Policies (CP) and Certificate Practice Statements (CPS) that describe the procedures and rules for issuing and managing certificates.

3. Selecting PKI Software and Hardware

Software: Choose suitable PKI software that meets the security and functional requirements.
Hardware: Select reliable hardware, such as HSMs for key management and secure servers for CAs.
Contracting: Make good agreements with your suppliers and consider the requirements and standards required for certification.

4. Installation and Configuration

CA and RA Configuration: Install and configure the root CA and any subordinate CAs and RAs according to the designed architecture.
HSM Configuration: Configure HSMs for secure storage and use of private keys.
Network and Security: Ensure a secure network environment with firewalls, intrusion detection systems and other security measures.

5. Generating Keys

Key Ceremony: Always follow a strict key ceremony with external witnesses and non-mutable recording for key generation.
Root CA Certificate: Generate and install the root CA certificate.
Subordinate CA Certificates: Generate and install certificates for subordinate CAs.
RA Certificates: Generate certificates for registration authorities if applicable.
Developing Policies and Procedures: Establish procedures for key generation, management backup, rotation, and destruction.

6. Issuing Certificates

Certificate Issuance: Define procedures for requesting, verifying, and issuing certificates.
Certificate Revocation: Develop procedures for revoking certificates and maintaining Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP).
Certificate management: Establish procedures for certificate generation, backup, rotation, and destruction.

7. Testing and Validation

Functional Testing: Perform extensive testing to ensure all PKI components function correctly.
Security Testing: Test the security of the PKI, including penetration testing and security audits.
Compliance Tests: Check whether the PKI complies with relevant standards and regulations, such as eIDAS for QTSPs.

8. Implementation and roll-out

Deploy to Users: Start rolling out certificates to end users and applications.
Training: Provide training for IT staff and end users on how to use and manage the PKI.
Documentation: Provide detailed documentation of all PKI processes and procedures.

9. Maintenance and management

Monitoring: Continuously monitor the PKI for performance and security incidents.
Regular Audits: Conduct periodic audits to ensure compliance with policies and procedures.
Update and Enhance: Update the PKI with new security patches, software updates, and enhancements based on audit results and changing needs.

10. Incident Response and Recovery

Incident Management: Develop and implement procedures for responding to security incidents.
Recovery Plans: Provide plans for recovering the PKI during disasters or disruptions, including backup and disaster recovery procedures.

By following these steps carefully, your organisation can set up a robust and reliable PKI that meets the security and compliance requirements that apply to eIDAS electronic trust services.

Need support in setting up your public key infrastructure?

In short, you must prepare well to set up and manage a PKI correctly. Our people have the experience and knowledge to help you with this. Please contact us to see how we can help your organisation further.

Aniek Hannink

"Controlling technology is only half of the factors needed to set up and run a reliable PKI. The other half is the organisation of people, suppliers, procedures, processes, and control measures around it."

Over the past 30 years, I have successfully implemented many architecture and IT projects within Public Key Infrastructure and Identity Management domains—the first years under the flag of IBM and soon afterwards as an independent entrepreneur and IT architect. In addition to my daily work, I teach at Utrecht University of Applied Sciences in ICT. Teaching allows me to pass on my knowledge and experience to the next generation of IT professionals. One of my educational priorities is PKI, where I teach students how safe and reliable systems work.

Together with the House of Trust team, I help (Q)TSPs set up and manage the best PKI. Our team consists of experts in cybersecurity and digital trust services. We work closely with our customers to create solutions that are not only secure and reliable but also scalable and future-proof. Our approach is customer-focused, and we always strive to achieve the highest standards in everything we do.

Send Aniek a message

We are happy to help you with the issues below

Selection of PKI systems

Different requirements apply to each trust service and unique trust service organisation. Naturally, this involves a specific Public Key Infrastructure. Which HSMs will you purchase? And what does the rest of your infrastructure look like? We know the market and the solutions and will help you select properly.

Design and architecture

Before you start setting up and building your infrastructure, you will need to have a good design of the architecture with system and network components. The design of your network, which separates the 'high secure zone' and 'secure zone,' is also important. Our architects are happy to help you.

Contracting

Good agreements with suppliers of PKI systems are essential for monitoring quality and controlling costs. Our vendor managers are happy to help you ensure proper contracting with PKI infrastructure components and services suppliers.

Construction & configuration

The construction and configuration of the PKI infrastructure will start based on the chosen design and the underlying architecture. For this, you need various specialists to ensure that your PKI infrastructure is built perfectly and meets the most stringent security requirements. We know this market from specialists and can organise a team for you. We prefer to develop this together with the future administrators of the PKI infrastructure so that knowledge is guaranteed.

Key Ceremony

An essential part of your PKI is the design and management of public and private keys. Every Certificate Authority (CA) will want to have at least one root key and one intermediate key pair. To generate this, a key ceremony will have to be held. We have the experience, protocols, and knowledge to support you with this.

Testing

Its testing is just as necessary as the design and setup of the PKI infrastructure. You want to go through several tests before the solution can be put into production. For example, you want to functionally test that the trust service works in accordance with the design and that the ETSI requirements for backup, security, logging, and continuity are met. Depending on the PKI infrastructure and trust service you have chosen, we can tell you precisely what you should consider regarding testing.

Documentation management

Updated documentation is necessary to ensure demonstrability and thus comply with ETSI standards and other requirements. We also know from experience that writing documentation can quickly become a neglected task under time pressure or limited commitment from technicians. With simple techniques and good examples, we can help you immediately get the documentation to the correct quality level and maintain it in the management situation.