November 5, 2020

Blog postEJBCA CloudEnterpriseGovernmentInfrastructureManufacturingSignServer CloudTelecom

Flexibility – the major benefit when deploying your PKI in the Cloud

Malin at PrimeKey meeting

The manner in which you deploy your PKI can be a critical choice, and there are many aspects to consider. When it comes to your need for flexibility, a cloud option can be beneficial in many ways. In this blog, I will give you insight into some of the advantages that the flexibility provided by a cloud PKI deployment offers.

For a very large deployment, or when an organization wants to adapt the PKI deployment for a specific use case, a full-scale cloud deployment with deep API support and “single license / unlimited certs” business model is clearly the best option. The cloud deployment in this scenario is less costly than an on-prem deployment and can scale, for example, to meet a large-volume IoT, medical device or automotive use case.

The ability to be fully in control of the PKI deployment and access the underlying API can be incredibly valuable for developers and DevOps teams. Especially so in use cases with more specialist non-TLS based certs and use cases where the PKI layer needs to be integrated into a product, for example a consumer electronic device manufacturer, or as part of a bespoke application. At a technical level, any of the PKI components, including the Certificate Authority (CA), Registration Authority (RA), and OCSP/CRL Validation Authority (VA) can be spun up in the cloud. In addition, anything that can be done on premise can also enact in the cloud native solution. This includes deploying the hardware security module (HSM), which is normally a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures.  

PKI control in mission-critical situations with no added cost

The ability to control every aspect of how a PKI and corresponding certs are deployed should not be underestimated as it is a major benefit for a cloud deployment. For example, if an organization wants to change the cryptographic algorithms that are used, then this process is entirely within their control and – crucially – does not incur an additional cost as would be typical in a Managed PKI service model. This control also extends to how an organization wants to organize their PKI. For example, EJBCA Cloud can support multiple CAs, and multiple PKI hierarchies with multiple associated Certificate Authorities – and each CA can have its own administrator groups. Furthermore, companies gain great flexibility since the solution can handle thousands of OCSP requests per second, as well as many PKI protocols such as ACME, EST, CMP, SCEP, and Microsoft AutoEnrollment. This level of flexibility extends across different devices, operating systems, geographies – in fact, there are potentially millions of ways a cloud native PKI platform can be configured. The integration processes are even more simplified by leveraging the REST API support when applicable.  

Adaptability to meet regulatory compliance

One of the ways in which the flexibility of a cloud deployment is evident is in the ability to meet regulatory compliance. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires organizations handling protected health information (PHI) to “implement a mechanism to encrypt PHI whenever deemed appropriate.” In financial services, the Payment Card Industry Data Security Standard (PCI DSS) has multiple security requirements, including “Identify and authenticate access to system components” and the use of strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks. In both situations, PKI offers the core capabilities to meet these requirements. However, these are just two of a whole host of standards – and critically, these standards are evolving based on the discovery of new vulnerabilities and types of attacks.  

Flexibility on all levels, including scalability, security and compliance

One size does not fit all. PrimeKey’s customers are challenged with all of these requirements and on different levels. The advantage of EJBCA and SignServer in the Cloud is the combination of:

  • the elasticity of the infrastructure usage,
  • the support for FIPS-certified HSM as an integrated part of the infrastructure,
  • the predictable subscription model and
  • the requirement to be in full control of the PKI today and tomorrow.

The adoption of public could continue to spur and until 2022, the worldwide public cloud services market will grow by approx. 40%, according to Gartner. It is important for PrimeKey to continue to provide our technology directly on the Azure and AWS marketplace. By doing so, we provide this rather new and upcoming market segment with the maturity, transparency and commitment required when enabling your business application with PKI and digital signature functionality.

Read more:


SignServer Cloud  

Malin Ridelius


Malin Ridelius

Malin Ridelius joined PrimeKey in March 2018 as Product Marketing Director. Malin has been working in product management/marketing and business development roles at several security companies including Giesecke & Devrient, HID Global and Nexus. She has 20 years’ experience in PKI, digital identities and electronic signatures, smart cards and related solutions. Contact Malin: