November 29, 2018

Blog post

Why would you deploy your PKI in the Cloud?

Cloud - cloud PKI deployment

This post was updated on: 2020-06-11

Many organizations today choose to deploy all or parts of their IT infrastructure and/or service offering in the cloud. Why? Rapid deployment and ease of scale are two of the advantages. There is no upfront investment in hardware, servers and software which minimizes risk and makes it is easy to get started. A cloud deployment enables you to start small and to grow with the use case. Additionally, most solutions in the cloud offer financial flexibility, only charging customers for the resources they use. When deploying your Public Key Infrastructure (PKI) in the cloud, all of the above is still true. Some may be hesitant to put such a critical part of their security infrastructure to the cloud, but with your cloud based PKI you’ll still have Hardware Security Module (HSM) support for secure key storage/usage.  You will also get high availability and clustering capabilities when needed. In addition, with a cloud deployment you get the ability to easily reach almost all parts of the world. PrimeKey products are available in all areas that AWS operates in, including AWS GovCloud. To make sure that your security solution stays secure and up to date, there are different support levels available. If you’re looking to deploy your PKI in the cloud you can rest assure that you are able to get your complete security solution. All your PKI components, Certificate Authority (CA), Registration Authority (RA), and OCSP/CRL Validation Authority (VA) can be deployed in a secure, and cost-effective way, leveraging the cloud infrastructure possibilities. Since EJBCA Cloud runs EJBCA Enterprise, RA and VA functionality can be separated from the CA functionality, run in different regions, or spun up on demand to meet load. PKI in the cloud frees you from geographic constraints found in typical datacenter environments. In the picture below, you can see a typical Cloud PKI reference architecture including redundancy, cross cloud deployments and AWS CloudHSM stored keys. 


The reference PKI architecture includes:

  • CloudHSM backed keys
  • Site level redundancy leveraging availability zones in region 1
  • Galera replication configured manually across all regions for active/active CAs
  • Application Load balancer (ELB) for redundancy in region 1
  • Amazon Route 53 load balancing across all remaining sites and to ELB
  • Security groups protecting all nodes at each site
  • VA/RA services in separate availability zones

Has this sparked your curiosity about cloud PKI? Or are you already convinced that deploying your security solutions in the cloud is and efficient way forward for your organization? Please feel free to try it out for a 14 day, free trial on AWS. EJBCA Enterprise Cloud will get you a single node, perfect for testing and for evaluation within minutes. This same node can also be expanded to meet the most demanding PKI needs.  EJBCA in the cloud scales with you as you grow.  All documentation you need to get up and running on AWS, plus how to get your first CA running is available here.  

Would you like to know more about PKI in the cloud?

Sign up for our webinar on PKI in the cloud, Sign up for webinar   

EJBCA Enterprise on AWS

Read more about EJBCA Enterprise Cloud  



Alex Gregory

Alex Gregory is Senior Director Cloud & Managed, PKI Products and Services at PrimeKey based in San Mateo, Silicon Valley. He has over 20 years of experience in the IT Security and Product Management fields, providing senior systems, security and IT solutions to a diverse set of companies.