Public Key Infrastructure (PKI) Services

Design, migration and hardening of enterprise PKI with HSM key custody and certificate lifecycle automation (CLM). Vendor-neutral across AD CS, enterprise PKI architecture, cloud HSM patterns and HSM vendor options — with post-quantum transition planning.

Book a 30-minute discovery call Email crypto@safecipher.co.uk Call +44 (0) 7498 045 184

Serving clients in the United States (ET/PT), Western Australia (AWST) and Europe (EU/UK).

PKI design & architecture

Layered hierarchy with offline root, issuing CAs, AIA/CDP/OCSP and HA revocation — see our PKI design patterns.
Profiles/EKUs, naming and validity aligned to recognised guidance; delivered with runbooks & evidence from engagements.
Migration blueprints (AD CS → hybrid/cloud) and operational support for steady-state.

HSM custody & key management

M-of-N ceremonies, RBAC/segregation of duties, backup/restore with audit evidence — our HSM Services.
Cloud and on-prem patterns using Cloud HSM or managed HSM; vendor choices at HSM Vendors.
Use of FIPS 140-3 validated modules where required by policy.

Certificate lifecycle automation (CLM)

Discovery → policy → issuance → renewal across hybrid estates — start with a Cryptographic Audit.
ACME/EST, agent/API integrations, policy folders & approvals (Venafi, EJBCA, Keyfactor) — see Selected engagements.
Dashboards & SLOs (expiry MTTR, OCSP freshness, CRL age), blue/green rollout patterns.

Compliance & regulatory alignment

We don’t provide legal advice. We align technical controls and evidence so your legal/compliance teams can demonstrate conformity.

GDPR/UK GDPR: Crypto controls for integrity/confidentiality — GDPR • UK ICO
PCI DSS 4.x: Key management & certificate governance — PCI SSC
DORA / NIS2: Availability, incident readiness, evidence — DORA • NIS2
eIDAS / ETSI: Qualified services, signing, time-stamping — eIDAS • ETSI QSC

Vendors we support (vendor-neutral)

Microsoft AD CS (on-prem/hybrid patterns)
EJBCA • Venafi • Keyfactor
Entrust • DigiCert • Thales HSM — compare options at HSM Vendors

Sectors & outcomes

Finance: Expiry-outage prevention; ceremonies with evidence; OCSP/CRL monitoring.
Public sector & health: HA revocation, long-term validation, audit packs.
Pharma: GxP-aware signing & data integrity (EU GMP Annex 11).
IoT/OT: Device identity at scale, secure boot/firmware signing, offline revocation.

Transition planning (≥128-bit strength & PQC)

Plan beyond 2030: Treat RSA-2048 (~112-bit) as legacy/verification-only post-2030, adopt ≥128-bit parameters (e.g., RSA-3072), and pilot PQC — start here: Quantum PKI Transition.

SP 800-131A r3 (draft) • NIST announcement • NIST PQC selections

Discuss a PKI engagement See selected engagements About SafeCipher

PKI services — FAQ

What’s included in a typical engagement?

Discovery, target architecture, build with HSM custody, CLM automation, runbooks and an audit-ready evidence pack.

Do you support AD CS → cloud migrations?

Yes — hybrid patterns with Cloud HSM/managed HSM vendors, blue/green cutovers, and identity integration.

Which frameworks do you align to?

FIPS 140-3, GDPR/UK GDPR, PCI DSS 4.x; see regional details for Europe, United States and Western Australia.