We design robust, scalable Public Key Infrastructure (PKI) architectures tailored to your security, compliance, and operational needs. From on‑premises PKI and cloud PKI to hybrid models, we prioritise customer‑managed keys (BYOK), Managed HSM, and zero‑trust‑aligned patterns.
Reference Architectures (Offline Root, Issuing CAs, HSM)
- Tiered hierarchy: Offline Root CA → Online Issuing/Subordinate CAs (per environment/zone/use case)
- Key protection: FIPS 140‑3 validated HSMs, dual control (M of N), tamper‑evident audit
- Separation of duties: RA vs. CA roles, privileged access model via Entra ID/AD
Enterprise PKI Topology & Zoning (DMZ, Internal, OT — Purdue Model)
- Network segmentation: Root in offline vault; Issuing CAs in secured zones; RA in controlled access tiers
- OT/IIoT: Disconnected/low‑bandwidth RA options, device identity at scale, CRL distribution in constrained networks
- DMZ/Edge: OCSP responders/CRL distribution, stapling, WAF/LB integrations
Cloud PKI Patterns (AWS, Azure, GCP) & BYOK/Managed HSM
- AWS: ACM for workloads, ACM PCA for private PKI; keys in CloudHSM when required
- Azure: Key Vault / Managed HSM for CA keys; integration with App Services/AKS; EJBCA/AD CS with AKV/MHSM
- GCP: Certificate Authority Service (CAS) for managed CA; KMS/HSM for key residency
- Hybrid: On‑prem roots with cloud issuing CAs; cross‑cloud discovery & policy via CLM (Keyfactor/Venafi)
Identity, Enrollment & Automation (ACME, EST, SCEP, CMP/CMC)
- Protocols: ACME (with EAB), EST for devices/services, SCEP/NDES for legacy/MDM, CMP/CMC where needed
- Workflows: Self‑service portals, policy‑gated approvals, GitOps pipelines for cert issuance and renewal
- Kubernetes/Service Mesh: cert‑manager, Istio/Linkerd mTLS, SPIFFE/SPIRE integration options
Cryptography Policy & PQC Roadmap (RSA, ECDSA, Hybrid PQC)
- Profiles: Key types/sizes, curves, validity, EKUs, SAN rules, digest policies
- Crypto‑agility: Deprecation schedules, automated enforcement via CLM, PQC readiness (hybrid cert pilots)
High Availability, Performance & DR (SLAs for OCSP/CRL)
- HA: Multi‑region OCSP, geo‑replicated CRLs, load‑balanced enrollment endpoints
- DR: HSM backup and key component custody, CA rebuild runbooks, ceremony evidence packs
- Monitoring: SLOs for issuance and status services; SIEM dashboards and alerting
Microsoft AD CS Modernisation (Intune/NDES, Auto‑Enrollment)
- Clean‑up: Template rationalisation, naming standards, EKU hygiene
- Modernisation: Intune/NDES for devices, gMSA/service enrollments, migration paths to enterprise CLM
- Hardening: Admin tiering, constrained delegation controls, audit & logging standard
Integration Touchpoints (Load Balancers, MDM/EMM, CI/CD, Secrets)
- Edges: F5, Nginx, HAProxy, IIS/Apache automation
- Endpoints & Mobile: Intune, Jamf, Android Enterprise
- DevOps: Terraform/Ansible pipelines, GitOps approvals, secrets managers (HashiCorp Vault, AKV)
Deliverables (Architecture & Governance Artifacts)
- PKI High‑Level Design (HLD) and Low‑Level Design (LLD) with diagrams
- Threat Model and Risk Assessment with compensating controls
- CP/CPS updates and Key Management Standard (BYOK/HSM)
- Network & Zoning Plan with firewall/ports matrix
- Runbooks: issuance, renewal, revocation, OCSP/CRL operations, DR
- Acceptance & Test Plan (non‑prod to prod promotion, canary renewals)
FAQ: PKI Design & Architecture — Common Questions
On‑prem vs. Cloud vs. Hybrid? Depends on key custody, residency, integration needs. We commonly deploy offline roots on‑prem with cloud issuing CAs.
Do we need an HSM? For CA keys: strongly recommended (often required). We use FIPS 140‑3 validated modules where mandated.
How do we prevent outages? Automated discovery, pre‑expiry renewals, blue/green rollovers, OCSP/CRL SLOs, and monitoring.
Can you integrate with Kubernetes/service mesh? Yes—cert‑manager plus mTLS policy, or SPIFFE/SPIRE where appropriate.
What about PQC? We prepare crypto‑agile profiles and a pilot plan for hybrid or PQC‑ready certificates for high‑value services.