A Secure Foundation for the Internet of Things based on Public Key Infrastructure

PrimeKeys end-to-end take on Internet of Things (IoT) security based on Public Key Infrastructure (PKI).

Is the Internet of Things an Internet of Threats?

Internet of Things (IoT) is often defined as a network of physical objects that can interact with other Internet-enabled systems and devices to share information and perform actions. This means Internet of Things encompasses everything from cars to cooking devices, from MRI scanners to personal fitness trackers.

For businesses across a range of industries, Internet of Things provides opportunities for cost reductions and increased revenues. It is estimated that IoT will consist of about 30 billion devices with the global market value reaching $7.1 trillion. There is no question that the impact of IoT is transforming industries, businesses and ultimately, our lives. But as the physical objects around us become connected, they also become susceptible to a variety of cyber security threats. With IoT solutions maturing and taking on a key responsibility in the new revenue streams, workflows and value propositions of progressive businesses, IoT security becomes a central issue – and a complex one at that.

The building blocks of IoT security

Businesses developing IoT offerings must be sure the Internet of Things does not become an Internet of Threats. Therefore, it is imperative to provide a secure foundation for Internet-enabled physical objects that is able to:

  • Assure the identity and authenticity of all devices.
  • Make sure devices run only on authorized code.
  • Manage the lifecycle of each device, ensuring the chain of custody.
  • Enable safe over-the-air updates to maintain security and allow for new features over time.
  • Protect communication across unsecure networks.
  • Secure sensitive data and safeguard regulatory compliance.

In addition to the functional aspects, security solutions for Internet of Things must also be scalable, potentially handling billions of devices, and flexible enough to cost-efficiently integrate with IoT platforms and back-end enterprise systems.

For an end-to-end take on Internet of Things security, PrimeKey delivers a public key infrastructure (PKI) built on open standards, with proven scalability and more than 20 years of history protecting the world’s most valuable digital assets.

PKI creates trust in the era of IoT

Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. This enables secure communication between parties and provide security through identity and services built on top, including authenticity, integrity and confidentiality.

When developing security IoT solutions, PKI can function as a one-stop shop. Benefitting from the proven track-record of PKI, all aspects of IoT security can be addressed:

Protect IoT devices

  • Guarantee that each device has a unique and traceable identity.
  • Ensure that code running on the devices – including firmware, operating system and applications – is authorized and not tampered with.
  • Enable secure, over-the-air updates to add features, improve performance and ensure security over time.

Protect device communication

  • Safeguard communication through encryption, protecting data when in transit across unsecure networks.
  • Validate the identity and authenticity of devices attempting to communicate with IoT platforms and back-end systems.

Protect sensitive data and safeguard regulatory compliance

  • Enable sensitive data to be encrypted, both on the device, in transit and when stored centrally, ensuring the ability to stay compliant with regulatory demands.

Manage lifecycle and chain of custody

  • Provision devices in manufacturing, establishing a unique and traceable identity of every device.
  • Manage devices in operation, ensure correct authority to take action and handle how devices are decommissioned or repurposed, or if ownership changes.

PKI is a proven way of protecting valuable assets, fitting well into the complex and diverse security challenges of IoT. So, what are the key considerations in selecting a PKI solution for IoT?

Benefits of PrimeKey’s PKI solutions in the context of IoT

PrimeKey is a pioneer in open source security software that provides businesses and organizations around the world with the ability to implement security solutions such as e-ID, e-Passports, authentication, digital signatures, digital identities and validation.

Three key aspects are at the heart of PrimeKey’s unique fit to provide security in an IoT context; it is proven, scalable and flexible.


As one of the world’s leading companies for PKI solutions, PrimeKey has developed successful technologies such as EJBCA Enterprise, SignServer Enterprise and PrimeKey PKI Appliance. These products have been proven in a range of contexts, from critical telecom and power infrastructure to smart products from several of the world’s most recognized brands and national e-IDs.

  • PKI is a proven technology, having facilitated secure electronic transfer of information for a range of activities across the globe for decades, including e-commerce, internet banking and e-IDs.
  • EJBCA is proven as the leading security software for Certificate Issuance and Certificate Management across industries, including several of the most demanding use cases in the world.
  • Due to mature, widely proven source code, the products provide least likelihood of disruptive software defects and it has been proven time and again to enable standards-based, cost-efficient integrations.


Using either PrimeKey EJBCA Enterprise Software or PrimeKey PKI Appliance you can rest assured that whether you are looking to provision 10 or 10 billion devices, the solution scales with your business. In addition, a PrimeKey PKI solution can scale across different use cases relating to IoT – from the edge to the datacenter.

  • The PKI applications can seamlessly scale with needs as volumes grow and additional use cases are identified.
  • The products are based on standardized technology, cost-efficiently managed by existing IT-staff.
  • Highly configurable workflows and integrations based on open standards makes it possible to scale PKI across use cases and emerging regulatory demands.


PrimeKey gives you the choice of – and the choice to combine – on premise, cloud, as a hardware appliance or software-only PKI solutions. This means the infrastructure is deployed in manner best suited for your business needs and can flexibly grow and expand over time.

  • Supporting a number of standard protocols, making it easy to integrate with virtually any IoT platform or back-end system.
  • Highly configurable to run your existing and future workflows, including both manual and automated processes.
  • Issue billions of certificates with an infrastructure that can grow flexibly over time – on premise, in the cloud or as an appliance.
  • Adapts to the needs of existing device development and management solutions.
  • Adjusts to support every code signing workflow possible.

In summary, PrimeKey PKI solutions provide a proven foundation for developing secure IoT solutions that is able to address the multitude of security challenges. The code signing capabilities delivered by EJBCA and SignServer ensures authenticity and integrity of both data and code on devices, proven in some of the most challenging use cases in the world. We have vast knowledge and experience in partnering with globally leading software and hardware vendors, utility providers, car manufacturers and system integrators and more, enabling PrimeKey to fully support the most demanding aspects of IoT security.

Key features

Protect IoT devices

Establish device identity

  • Issue X.509 and RFC5280 certificates
  • RSA and Elliptic Curve algorithms
  • Supports both batch production and single-instance issuance
  • Support both client- and server-generated keys

Ensure software integrity with PrimeKey SignServer

  • CMS/PKCS#7
  • Authenticode for signing Windows executable files and installer applications.
  • JAR signing for signing Java and Android files.
  • Plain signature, for generic signing.

Protect device communication

  • Supports TLS certificates for both client and server to encrypt communication in transit

Protect sensitive data and ensure regulatory compliance

  • RFC 5280, ETSI/eIDAS and WebTrust-compliant
  • Support for HSMs from leading vendors
  • Compliance support for NSA SUITE B algorithms
  • Tamper-proof hardware for insecure environments with PrimeKey SEE
  • Enabling GDPR-compliance across platforms and systems
  • Future-proof and flexible to support regulatory demands of the future

Manage lifecycle and chain of custody

  • Full lifecycle support with certificate issuance, renewal and revocation
  • Time-stamped digital signatures enabling traceability
  • Support for vendor certificates and digital twins
  • Ensuring identity and correctness in representation of digital twins
  • Secure audit logs in all certificate lifecycle and digital signature operations


  • Linear scalability for performance and high availability by adding multiple nodes
  • High performance, >500 request per second can be achieved on a single server
  • Configurable to support a multitude of use cases
  • Use standard SQL database, scaling infinitely
  • Highly scalable Java Enterprise applications
  • Proven to support billions of certificates in operation


  • Supports standards for API integration including SCEP, CMP, EST, ACME and Web Services.
  • Revocation checks with OCSP and CRLs.
  • Available as on-premise software, in the cloud and as an appliance, supporting hybrid solutions.
  • Configurable to support different levels of automation, from manual to fully automated.
  • Adaptable to support existing and future workflows, processes and platforms.
  • Flexible deployment architectures, from single-instance to multi-site deployments, including support for external RAs and VAs with High Availability and Disaster Recovery.

Get in touch with us

Fill in your contact information below and we will get in touch with you.