Summary of "Modernizing Certificate Management: Why it’s time to rethink your Private PKI strategy"

Summary: Modernizing Certificate Management and Private PKI Strategy

This webinar, hosted by Matt Gross (marketing) with main speakers Henry Lamb (Product Management Director, Sectigo) and Jason Sokco (Senior Fellow, Sectigo), focuses on the evolution and modernization of private Public Key Infrastructure (PKI) and certificate management. It highlights the shift from legacy, on-premises, siloed, and expensive private certificate authorities (CAs) to modern, cloud-native, flexible, and future-proof solutions.

Key Technological Concepts and Analysis

• Legacy PKI Challenges:
  • Historically, private PKI was complex, costly, slow to deploy, heavily reliant on professional services, and mostly Windows-centric (Active Directory Certificate Services - ADCS).
  • It was designed for domain-joined, on-premises environments and is brittle when extended to hybrid or cloud environments.
  • Manual certificate issuance and lack of visibility create risks, outages, and governance challenges.
  • Legacy PKI often lacks cryptographic agility and post-quantum readiness.
• Modern Private Certificate Authorities:
  • Designed for hybrid, multi-OS environments including macOS, Linux, mobile OS, cloud, DevOps, IoT, and non-domain joined systems.
  • Support cryptographic agility and post-quantum cryptography planning.
  • Turnkey deployment with fast time-to-market, often cloud-native and API-driven.
  • Provide centralized visibility, governance, and automation of certificate lifecycle management.
  • Use RESTful APIs and modern protocols instead of legacy scripting (PowerShell, shell scripts).
• Visibility and Governance:
  • Massive visibility gaps exist due to certificates spread across multiple silos (on-prem, cloud, Kubernetes, IoT devices).
  • Lack of centralized management leads to silent certificate failures and outages.
  • Modern platforms consolidate certificate issuance and inventory in one place, enabling better governance and risk management.
• Use Cases for Private PKI:
  • VPN authentication, Wi-Fi access point provisioning, workload identity (containers, devices, users), managed devices (e.g., Intune, AirWatch).
  • Diverse teams often manage certificates inconsistently, increasing risk of single points of failure.
  • Modern PKI supports flexible trust models including hybrid (on-prem + cloud) and cross-signing.
• Active Directory Certificate Services (ADCS) vs. Modern PKI:
  • ADCS remains prevalent but is legacy and limited to Windows domain environments.
  • Microsoft only recently began discussing post-quantum cryptography (PQC) support for ADCS, with few details.
  • Modern private CAs can augment or eventually replace ADCS, supporting diverse environments and future-proofing.
  • Hybrid models allow coexistence and gradual migration.
• Sectigo’s Modern PKI Solution:
  • Cloud-native Certificate Lifecycle Management (CLM) platform that overlays on existing legacy CAs or hosts private CAs.
  • Offers consolidated certificate issuance, management, visibility, and automation via APIs.
  • Secure key generation using Hardware Security Modules (HSMs) in FIPS mode, following public CA-grade security standards.
  • Removes infrastructure maintenance burdens and 24/7 uptime responsibility from customers.
  • Supports flexible trust models and hybrid deployments.
  • Transparent pricing and rapid deployment.
• Regulatory and Industry Drivers:
  • Increasing compliance requirements (PCI, HIPAA, NIST, White House Executive Orders, NIS2, DORA).
  • Google’s upcoming deprecation of TLS client authentication certificates from public CAs within a year forces migration to private CAs.
  • Post-quantum cryptography readiness is essential due to emerging quantum computing threats.

Guides, Tutorials, and Recommendations

• Inventory and Discovery:
  • Organizations must take inventory of all certificates, including TLS client authentication certificates.
  • Discover and consolidate certificates to avoid outages and compliance failures.
• Modernization Path:
  • No need for immediate rip-and-replace of legacy PKI; overlay with modern CLM platforms to extend capabilities.
  • Gradual migration with hybrid trust models and cloud integration.
  • Use APIs and modern protocols for certificate issuance automation.
  • Secure CA keys with HSMs, not software-only key storage.
• Homework for Attendees:
  • Identify usage of TLS client authentication certificates.
  • Start planning migration to private PKI for client certs due to public CA deprecation.
  • Conduct certificate inventory and assess cryptographic algorithms and lifespans.
  • Develop cryptographically aware governance policies.
  • Consider Sectigo’s platform for rapid deployment and management.
• White Paper:
  • Jason Sokco recommends downloading Sectigo’s white paper titled “The Business Case for Internal PKI” for deeper understanding and strategic guidance.

Main Speakers / Sources

• Henry Lamb – Product Management Director, Sectigo
• Jason Sokco – Senior Fellow, Sectigo
• Matt Gross –

Category

Technology

Share this summary

Share on X/Twitter Share on Facebook Share on LinkedIn Share on Reddit Share on WhatsApp Share on Telegram

Video