Book a 30-minute discovery call • About SafeCipher
Trusted by regulated industries • Member of the PKI Consortium • Expertise across Keyfactor, EJBCA, Entrust, DigiCert, Azure, AWS, HashiCorp Vault
Sanitised engagement (Telecommunications)
Global telecom — PKI modernisation & global hierarchy redesign
Serving as the Principal PKI Architect Steve Monti of SafeCipher delivered this engagement personally under the SafeCipher banner. Client details are withheld; outcomes focus on availability, auditability, and crypto risk reduction.
Context
- Legacy AD CS sprawl across regions; limited ceremony evidence and inconsistent profiles
- IoT/network device identity growth; need for automated enrollment at scale
- Mandate for stronger key custody (HSM), HA/DR, and clearer CP/CPS governance
What Was Done
- Designed a layered hierarchy: offline root, regional issuing CAs, dedicated profiles for server, mTLS, device/IoT, and code signing
- Moved key material into HSM custody (on-prem/managed by region) with M-of-N ceremonies and audited evidence
- Standardised certificate profiles & naming; rebuilt template taxonomy and EKU policy
- Refreshed CP/CPS, authored ceremony SOPs, and implemented role segregation with PAM
- Implemented automated enrollment: AD autoenrollment, EST/ACME, and API issuance; validated priority applications
- Hardened publishing: HA OCSP, fast CRL distribution, CDN caching, and health monitoring integrated with SIEM
Outcomes
- Zero-downtime cutover for priority services; governed rollout for remaining estates
- Consistent issuance SLOs across regions; reduced emergency renewals
- Auditable ceremonies and CP/CPS documentation; evidence pack delivered and accepted by stakeholders
- IoT/device onboarding at scale via EST/ACME with standard profiles and automated renewal
- Clear PQC posture with hybrid-cert pilot plan (where feasible) and crypto-agility guidance
Discuss a project: Book a call
See more work: Selected engagements
Engagement details have been generalised for confidentiality. Names/logos are not used and do not imply endorsement.