Public Key Infrastructure (PKI) management is an unglamorous but essential part of operating a business in the digital age. With organizations managing more digital identities and certificates than ever before, choosing the right PKI management software is crucial. Thankfully, there are a number of tools that can help businesses of all stripes handle certificate requests and renewals, as well as secure/automate communication among browsers, apps and servers.
Mistakes do still happen, of course. Indeed, the problem of expiring certificates can plague even global tech giants: earlier this year, Microsoft Teams suffered a much publicized outage due to an expired SSL certificate. Hence the need for a PKI management tool that can provide early warning before such accidents happen.
The difficulty for most businesses lies in sourcing the right Public Key Infrastructure management software for their needs. With this in mind, here are five areas you’ll want to consider before opting for a new PKI vendor.
Start with tech requirements
There are many questions worth asking any would-be PKI vendor, but those revolving around tech should definitely be high on your list.
What is the scope of certificates supported by the solution? What are the operating system requirements, and is automation via API feasible given the existing setup? Is the vendor participating in the Google Certificate Transparency Program? Which security is applied to access mechanisms such as public IP and VPN?
Needless to say, you should clarify all tech requirements at the outset and solicit assurance about the tools and processes available for troubleshooting. Only when you’re confident that the PKI tsoftware can integrate into your existing infrastructure should you go ahead.
Infosec is a watchword for any PKI management solution, and rightly so. The vendor should consequently be able to clarify how the initial notification will be handled in the event of a security breach, including detailing response times, communication method, status reports, post-mortem reviews and so on.
Moreover, the vendor should be able to classify security vulnerabilities and explain their penetration testing processes. Particular emphasis should be placed on authentication protocols and the security of information handled by employees.
It is easy to overlook physical security, given that infosec is typically envisaged as a digital process. However, physical concerns remain relevant: where will CA documents be stored? Will they be monitored around-the-clock? Are data centers audited on a continuous basis? These are the sorts of queries you should be posing when considering your next PKI management tool.
Responsible PKI vendors will clearly outline their implementation process and methodology documents, while providing a rough time frame. Deployment is likely to be phased, and the migration process between old certificate templates and new ones elucidated.
Ultimately, you need to review any deployment documentation and make sure you understand it before committing to a new PKI management software.
Compliance & pricing
Last but not least, compliance and pricing. This is where you get to dot the i’s and cross the t’s. Not only should the vendor be able to describe all compliance certifications related to your company (PCI, ISO 27001, SOX etc), but they should clarify best practice for audits. As for pricing, the model should be detailed in full (setup and maintenance) including stipulations for Termination of Convenience. Don’t forget to clarify how ongoing support services will be priced to budget accordingly.
Never be afraid to put a vendor on the spot: they should actively want to satisfy your concerns. Recently, Keyhub and PKI Solutions have put together a Request for Proposal (RFP) template with over 90 questions to ask your PKI vendors. Simply fill in your company details, project description and core requirements then forward the template, complete with pre-written questions aimed at demystifying the PKI tool in question.
While you’re here, take a look at Keyhub, a cloud platform that helps businesses automatically discover, organize and track SSL/TLS certificates across an entire enterprise.