Buyer’s Guide:

The Essential
Guide to
Evaluating PKI
Solutions
Learn the 6 critical elements
of a modern PKI platform
 Read before you start
If you’re reading this guide, chances are you’re in the market for a
new public key infrastructure (PKI) solution. Why? It could be that
your root certificate authority (CA) is about to expire, or maybe it’s
running on a server that’s near end-of-life. You may be rolling out a new
project or product line, or maybe it’s just that your current PKI solution
can’t support the growing volume and velocity of certificates in your
environment.

No matter the reason, you’ve come to the right place.

What’s inside
PKI comes in many forms and flavors, each designed to meet specific
use cases and requirements. This guide is intended to help you find
the right fit for your organization. It identifies the different types of
PKI, common use cases, key considerations, and guidance on how to
evaluate various solutions and service offerings.

So, what are you waiting for?

Go ahead, dive in.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 2

Table of contents

Introduction 4

01 Assess your needs 5

02 Know your options 7

03 Evaluate solutions 9

Core PKI functions 10

Flexibility 12

Extensibility 14

Scalability 16

Certificate management 18

Compliance, security & services 20

04 Deploy your PKI, your way, with Keyfactor 22

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 3

PKI: The foundation of trust in
a hyper-connected world
The world has changed — what about your PKI?

Public key infrastructure (PKI) is nothing new. It’s been widely adopted The use of PKI is
for the better part of two decades. Why? PKI delivers the critical
growing, and more
functions of authentication and encryption that ensure every connec-
tion — human to machine or machine to machine — is protected. It
machines use cer-
also enables organizations to digitally sign everything from code to tificates to encrypt
documents with a trusted and verified signature. communication for
authentication or
The world has become hyper-connected, making it more important than
ever to establish digital trust with a modern PKI. The adoption of PKI has
to sign workloads
extended well beyond traditional use cases like securing web servers or (i.e., code signing.)”
users and devices on the network. The productive and innovative ways
people use PKI today are simply incredible ­­— delivering authenticity
across the Internet, enabling developers to move fast while staying Managing Machine Identities,
Secrets, Keys and Certificates,
secure, and even securing millions of connected vehicles. Erik Wahlstrom
Gartner, 16 Mar 2022
There’s truly no end to the potential for PKI to deliver value. That said,
many teams and organizations rely on outdated PKI software or multi-
ple point solutions, resulting in overly complex, manual, and risk-prone
processes. Fortunately, advancements in technology and cloud
services mean that PKI is now more flexible than ever, so long as you
have the right solution.

This guide was created to help IT, IoT, and security professionals better
understand the PKI landscape, evaluate solutions based on key criteria,
and ultimately, find a modern PKI platform to effectively protect and
enable their organization.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 4

01 There’s nothing worse than selecting a vendor, only to realize
during implementation that you’re in way over your head, or worse,
the solution doesn’t deliver on all its promises. To find the right PKI
Assess your solution, start first with your requirements.

needs What you do with PKI is far more important than PKI itself. Begin
by assessing your organization’s unique use cases, IT policies,
Understand what your and available skills and resources required to support PKI. Taking
organization needs this step first will help you assess solutions based on your needs
in a PKI solution versus what vendors say you “need.”

DEDICATED TEAM
Expertise
Do you have the specialized expertise on staff required to deploy,
configure, and manage PKI? Remember, PKI is critical infra-
structure — a simple misconfiguration can lead to serious risks
and consequences. Also, consider whether you have enough
bandwidth on your team to handle ongoing maintenance and certif-
NO TEAM icate management.

FULLY MANAGED
Control
How hands-on does your organization want to be in managing PKI?
Should the solution be fully configurable or turnkey? Are there
policy or regulatory considerations that require your organiza-
tion’s PKI to remain on-premises? Or would you benefit from a
SaaS PKI or fully managed service?
SELF-MANAGED

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 5

 ENTERPRISE PKI
Use cases
Consider the use cases your organization’s PKI will need to
support today, and, more importantly, into the future. In most
cases, PKI supports dozens of different use cases and technol-
ogies across the organization. Consult with the various teams
that rely on PKI (e.g., IT, development, product, infrastructure,
SINGLE-USE PKI security, etc.) to ensure you have the full scope of all required
use cases.

MILLIONS
Scale
Another consideration is the scale and growth of your business
operations. This is where capabilities such as high availability,
active-active architecture, and auto-scaling become import-
ant. For instance, DevOps teams typically require high-volume
issuance and short-lived certificates. Not every PKI solution
THOUSANDS is able to support the volume and velocity of issuance in these
environments.

HIGH ASSURANCE
Trust & compliance
Perhaps the most important consideration is the level of assur-
ance behind your organization’s PKI. Depending on your industry,
corporate IT policy, and regulatory mandates, your organization’s
PKI will need to comply with certain standards. Be sure that the
PKI solution and vendor you select will help you meet these
LOW ASSURANCE requirements.

FULL AUTOMATION
Certificate management
It’s one thing to issue certificates — it’s another to manage them.
To avoid outages and security risks caused by untracked or
unmanaged certificates, consider the tools you’ll need to discover,
inventory, and manage them at scale. Some providers offer PKI
with full certificate lifecycle automation. Others require bolt-on
PROTOCOL-BASED solutions from other vendors.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 6

02

Understand PKI is one of the most critical components in any security strategy.
Unfortunately, those responsible for deploying and managing PKI
the PKI face an increasingly complex landscape of CAs and PKI tools —

landscape
all with features that sound identical at the surface level. With
so many options, choosing the right PKI solution is anything but
straightforward.
Know your options and
the key differences

Software / Hardware PKI

Software and hardware-based solutions allow organizations to
deploy PKI within their data center, in the cloud, or in a manufac-
turing environment. These are more than just a CA; they should
include all PKI components in one platform.

SaaS PKI / PKI as-a-Service

SaaS-delivered PKI or PKI as-a-Service solutions deliver all
the functionality of an enterprise PKI hosted and delivered by a
third-party provider. These solutions differ greatly in architecture,
deployment models, and the level of control you retain over the
PKI.

Active Directory (AD)

Microsoft Active Directory Certificate Services (AD CS) is a
utility bundled with Windows Server. Once the de facto choice
for enterprise PKI, AD CS has since become a less-than-ideal
solution for modern multi-OS, multi-cloud environments.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 7

 Built-in Issuers
Certificate issuance capabilities built into secrets managers and
container orchestration tools can support some DevOps and
CI/CD use cases, but typically lack the policy, governance, and
extensibility that security teams require for an enterprise PKI.

Public CAs
Publicly trusted CAs, also known as SSL/TLS certificate provid-
ers, issue certificates trusted by operating systems, browsers,
and applications. These are required for public-facing web servers
and code signing but shouldn’t be used for internal use cases.

Cloud CAs
Cloud-native CA solutions, such as AWS Private CA and Google
CA Service, are designed to support cloud workloads and services
within their own cloud environment but aren’t well-equipped to
handle on-prem or multi-cloud environments.

If you’re in the market for a PKI solution, chances are you’re not looking
for a traditional PKI. A solution that’s static, difficult to scale, and doesn’t
integrate with modern infrastructure isn’t a solution at all. On the other
hand, you don’t want point solutions either. You need one modern PKI
platform which meets all your use cases and that deploys however and
wherever you need it.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 8

 Keyfactor believes that truly modern PKI must provide the highest
03 level of security and flexibility. A modern PKI platform must be
quick to deploy, flexible enough to work in any ecosystem, simple

Evaluating to configure and manage, effortless to scale on demand, and

capable of meeting even the most stringent security and policy

PKI solutions requirements. That’s a tall order, but not an impossible one.

The 6 critical elements of To achieve both security and flexibility, PKI must include six critical
a modern PKI platform elements. These elements can be used as guidelines when evalu-
ating PKI platform solutions. Some will carry more weight than
others, but all are important to assess and consider.

Core PKI functionality Flexibility

Robust issuance, enrollment, revoca- Architecture and delivery models
tion, and management capabilities to that run however and wherever your
establish trust. business operates.

Extensibility Scalability
Integration to systems and Fast deployment, high availabil-
applications via protocols, APIs, ity, and on-demand issuance at
and pre-built plugins. any scale — large or small.

Certificate Vendor compliance,

management security, and services
CA-agnostic, centralized certifi- A solution backed by proven compli-
cate discovery, governance, and ance, security safeguards, and
lifecycle automation. reliable support.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 9

Core PKI functionality QUICK TIP

Issue, renew, and revoke certificates at scale

Avoid monolithic PKI
Every PKI solution should offer four basic capabilities — enrollment, solutions that require
issuance, revocation, and an audit log of all activities. This seems like additional servers for
a no-brainer, but we all know what it’s like when vendors don’t deliver each CA instance. This
even the basic functionality that we assume should come out of the box. increases costs, slows
deployment time,
To find a solution that delivers what you expect from a and creates more
modern PKI, look for: complexity.

A PKI platform — not just CA software

PKI isn’t just CA software, it’s critical infrastructure, and every deploy-
ment looks different. Find a solution that gives you the flexibility to
architect PKI however and wherever you need it. For instance, you
should be able to spin up a standalone CA (e.g., an offline, air-gapped
root), host multiple issuing CAs on a single installation (multi-tenant), or
segment CAs into connected nodes for improved security or availability.

Self-service enrollment
Not everyone uses APIs and protocols. End users should have an
easy-to-use interface where they can request and obtain compliant
certificates for their applications. Look for solutions that provide a
registration authority (RA) that can be deployed on the same instance
as your CA or proxied to the CA to avoid exposing the CA to the domain.
You should also be able to define roles and access management rules,
as well as approval workflows for enrollment.

Flexible validation services

Checking the status and validity of certificates is an essential function
of any PKI solution. Look for solutions that enable validation using either
Certificate Revocation List (CRL) distribution or real-time OCSP, with
the flexibility to automatically push CRLs to an HTTP server or host it on
the PKI instance itself to avoid the need for additional servers.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 10

 A web-based administrative GUI
PKI admins need a way to configure and manage everything from CAs
and certificate policies to enrollment and access controls. Some PKI
solutions don’t provide an administrative UI while others require an
additional client. Seek solutions with a browser-compliant web UI that
doesn’t require any additional software or licensing.

HSM integration
PKI acts as the root of trust for your organization, and therefore, it must
be safeguarded. Hardware security modules (HSMs) are essential to
protect CA keys against theft or misuse. Ensure the PKI solution you
choose offers flexible support for HSMs via PKCS#11 or REST API,
including hardware- and cloud-based HSM services, such as Azure Key
Vault or AWS CloudHSM.

Audit and transaction logs

Continuous monitoring and audit logs are a must with critical infra-
structure. Be sure that your provider enables comprehensive and
cryptographically signed audit logs for all certificate and configura-
tion-related activities. The bottom line: your PKI solution should make
audits easier, not harder.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 11

Flexibility
Run PKI however and wherever you need

Security needs to run wherever your teams do, without slowing them
53%
of organizations
down. When PKI systems are hard to deploy and administer, people say they don’t have
come up with workarounds or wind up deploying multiple PKI tools to enough staff to de-
solve different use cases — creating more complexity, effort, expense,
ploy and maintain
and risk.
their PKI
The good news is that advancements in PKI and cloud
technologies offer much more flexibility than ever 2023 State of Machine Identity
Management Report
before – so long as you choose a solution that offers:

Flexible delivery models

Every business has different infrastructure, IT policies, and available
skillsets and resources. You’ll want a solution that’s designed specif-
ically for your requirements now, with the flexibility to adapt in the
future. Look for PKI solutions that come in different form factors — as
a container, a virtual appliance, or a turnkey hardware appliance (“PKI
in a box”). Or something cloud-based, whether it’s a cloud instance, a
turnkey SaaS PKI, or a fully managed PKI service.

Modular, scalable architecture

PKI isn’t a monolith, it’s a fabric of critical components - root CAs, issuing
CAs, registration authorities (RAs), and validation authorities (VAs).
Look for solutions that make it easy to deploy these core functions as
modular components that can be securely connected. That way, you
can run your root CA in an offline, air-gapped environment, issuing CAs
behind the firewall, and cluster RAs and VAs in the cloud, for example.
You can even run an RA locally on a factory floor for manufacturers that
need to issue certificates onto devices from birth.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 12

 Support for your preferred QUICK TIP
database or HSM
Some PKI solutions don’t have a built-in database — they may use LDAP. Whether you’re deploy-
Others are limited to the database they’re bundled with. If you choose ing PKI on-premises
to deploy PKI on your own versus as a service, make sure you don’t or in the cloud, look
get locked into a specific OS, database, or HSM. Look for solutions for solutions that are
that offer a built-in database and HSM if you need it, but also integrate
available on Azure,
with external HSMs and databases, including cloud-native databases
in AWS or Azure.
AWS, or Google Cloud.
Vendors that transact
and deploy through cloud
Quantum-ready issuance marketplaces allow you
Support for RSA and ECC algorithms is table stakes. Quantum-resistant to take advantage of
algorithms are being standardized and the time to prepare is now. Like your already-committed
the transition from SHA-1 to SHA-2, the transition to quantum-safe cloud spend for your PKI
cryptography will take time. Be sure that your PKI vendor supports project.
NIST-standardized algorithms so you can begin to test in your lab
environment now and know that you have a clear path to quantum-read-
iness when algorithms are finalized for production use.

Transparent and flexible pricing

Some providers charge per-certificate fees, per-CA fees, or premium
prices for basic PKI features. These providers may market their
solutions as affordable, especially if they’re bundled with other offer-
ings, but add-on costs and fees quickly mount. Ask hard questions about
licensing and packaging. It’s critically important that you have the flexi-
bility to scale up operations without breaking the bank.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 13

Extensibility QUICK TIP

Integrate with DevOps, IoT, and enterprise systems

SSH certificates are
Organizations today leverage PKI to authenticate and encrypt dozens a popular alternative to
of applications across the business — users and devices on the network, password and key-based
web servers and load balancers in the data center, VMs and micros- authentication. However,
ervices in the cloud, and mobile and IoT devices at the edge. It goes many providers don’t
without saying — a modern PKI just doesn’t work without extensibility.
support it out of the
box and instead require
To get the most out of your PKI and to meet all of your a separate product for
use cases now and into the future, the solution should SSH key and certificate
support: management. Avoid
unnecessary costs and
Standard enrollment protocols look for PKI solutions that
support SSH certificates
An ultra-extensible PKI should be built on standards-based, open proto- out of the box at no
cols that enable programmatic enrollment and renewal of certificates at
additional cost.
scale. Be sure that your PKI solution supports a broad range of standard
protocols, including ACME, EST, CMP, and SCEP. Avoid solutions that
require additional licensing or servers for this functionality.

Windows auto-enrollment
Auto-enrollment is still widely used to provision Active Directory-issued
certificates to Windows servers and clients. Look for a solution that can
augment and integrate with AD auto-enrollment environments, as well
as unified endpoint management (UEM) platforms, like Microsoft Intune.

REST API
The solution you want will provide value upfront, will work with both
modern and legacy systems, and will work across multiple siloed
apps. Beyond standards-based protocols, your PKI provider should
offer proprietary APIs that empower teams to integrate with custom
workflows and applications.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 14

 CI/CD and DevOps integrations
Application and operations teams need fast, easy access to short-
lived certificates to support TLS and mTLS, ingress, and code signing
use cases. Look for pre-built and well-documented integrations with
popular secrets managers, container orchestration frameworks, and
service mesh tooling (e.g., via cert-manager). Don’t forget to ask for
documentation, demo videos, and available GitHub repos to ensure the
integrations your teams need are supported.

IoT ecosystem integrations

If you’re manufacturing devices, implementing security by design is
tough. Find a solution that supports on-site issuance locally on the
factory floor or in an OT environment. Ensure that it can integrate with
your manufacturing toolchain and support lightweight enrollment proto-
cols, like EST and EST over CoAP, as well as protocols that allow for
provisioning of birth certificates in greenfield deployments, like CMPv2
with 3GPP.

Multiple certificate formats, including

X.509, SSH, C-ITS, Matter, and others
Today, you may be issuing standard X.509 certificates (SSL/TLS, code
signing, document signing), but as new use cases arise, be sure that
you’ll be able to support shorter-lived certificates and different formats,
such as SSH certificates that serve as a more secure and efficient
alternative to SSH keys. Depending on your industry, you may also need
to support industry standards, like eIDAS and ePassports (ICAO), C-ITS
for automotive, or Matter for Smart Home devices.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 15

Scalability
Enable on-demand issuance and reliable uptime

Gone are the days of one or two CAs behind the four walls of the data
256k
Average number
center. Now PKI is everywhere, and the average organization has more of internally issued
than 250,000 active certificates.* That number can look much different certificates within
for your organization — higher or lower — but there’s no denying that to
organizations
support the business, PKI must be able to scale.

2023 State of Machine Identity

To assess whether a PKI solution will meet your organi- Management Report
zation’s need for scalability, consider:

On-demand provisioning
As new use cases and projects are initiated, the last thing teams want is
to wait weeks for a new certificate or Issuing CA (ICA). Make sure — no
matter which deployment model you choose — you’re able to spin up a
new ICA or issue a new certificate within minutes, not days. Ideally, you
should be able to automate ICA configuration and deployment steps for
scalable, repeatable provisioning.

Horizontal scalability
As the demand for certificates grows, your PKI will need to flex and
scale. Look for solutions that can integrate with your existing database
and HSM solutions, so you can replicate database or HSM instances
and simply cluster PKI instances to load balance the demand. Avoid
solutions that only work with a built-in database or require additional
servers for each new CA, which works at a small scale but will not
support larger deployments.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 16

 High availability
If a CA is down, certificate issuance and revocation grind to a halt.
Worse yet, if a CRL or OCSP endpoint isn’t available, you cannot
validate trust, which can result in widespread downtime and risk. Be
sure the PKI solution you choose meets your expected level of uptime
and availability. If you’re deploying PKI software, you should be able to
cluster CA and revocation nodes. If you’re evaluating SaaS or managed
solutions, ensure they provide guaranteed SLAs for CAs and CRL/
OCSP.

Scalable licensing model

If you’re a mid-size company, you might issue thousands of certificates.
If you’re a global enterprise, you likely issue hundreds of thousands,
if not millions. No matter the case, licensing models should be clear,
transparent, and allow you to start small and scale up without incurring
heavy costs as you grow.

Disaster recovery and restoration

Stuff happens. The question is, what happens next? One of the many
things you want to cover during the PKI design phase is a plan for disas-
ter recovery. Seek solutions that can easily replicate and export PKI
configurations between test, backup, and production environments, so
you can easily restore your environment in the event of a system failure.

Multi-cloud and global availability (SaaS)

If your business operates on a multi-cloud model, avoid point solutions
that require different configurations and create siloes between differ-
ent cloud and on-prem environments. Look for solutions that can serve
as a single PKI platform across a hybrid or multi-cloud model, with the
ability to deploy PKI components in multiple clouds and availability
regions.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 17

Certificate management
Visibility, governance, and automation for certificates
LEARN MORE

If PKI is on one side of the equation, certificate lifecycle management is

on the other. In some cases, you may not need to worry as much about Ready to dive deeper?
lifecycle events like renewal and provisioning; protocols, such as ACME,
SCEP, and EST, may work just fine. Get the guide to evaluate
certificate lifecycle
In many cases, though, you’ll need more than just basic enrollment and management solutions
revocation. Certificate lifecycle management extends PKI to deliver full in the Buyer’s Guide for
visibility, governance, and automation of certificates issued from any Certificate Lifecycle
PKI or CA, whether public or private, cloud or on-prem. Automation.

Download now ↗
To avoid outages or audit failures that result from
untracked certificates, seek vendors that offer fully
integrated PKI and certificate management so you can:

Manage certificates across

any PKI or CA platform
It’s important to simplify and consolidate PKI wherever possible, but
the reality is that most organizations use multiple PKI and CA solutions.
Look for an integrated PKI and certificate management platform that
allows you to centrally inventory and manage certificates from any
public, private, or cloud-based CA. Beware, some providers claim to
be CA-agnostic but only integrate with a very limited set of third-party
CAs.

Find and inventory certificates on the

network, in the cloud, and from your CAs
You can’t track what you can’t see; discovery is the most critical step to
avoiding unexpected outages. Vendors should provide multiple discov-
ery tools that you can deploy across segmented networks and clouds,
including SSL/TLS scanning, real-time synchronization with CAs, and
deep discovery of key and certificate stores that won’t show up on the
network.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 18

 Improve productivity with self-service
and delegated ownership
A registration authority (RA) provides self-service enrollment, but the
buck stops there. Certificate lifecycle management takes it a step
further with a single, centralized interface where admins can enforce
enterprise-wide policies to ensure the use of compliant and approved
CAs, crypto-standards, and trust levels. These solutions should also
provide role-based access controls and built-in approval workflows, so
application owners can make self-service requests and manage certif-
icates on their own.

Automate the full lifecycle of certificates

Certificate lifecycle management goes beyond basic protocols to
automate the renewal, provisioning, and installation of certificates using
an agent-based or agentless model. The vendor should support full
automation for a wide range of integrations, including load balancers,
web servers, cloud services, firewalls, and networking equipment.

Enable crypto-agility
With shorter TLS lifespans, certificate compromises, and quantum
threats on the horizon, you need to be crypto-agile. To stay ahead,
organizations must be able to quickly identify and remediate certifi-
cate-related threats, whether it’s a single certificate or thousands.
Look for solutions that enable bulk revocation and seamless transition
to a new CA without complex, manual processes involved.

Integrate with enterprise systems,

such as ITSM, PAM, and SIEM tools
To get the most out of your investment, PKI and certificate manage-
ment should be tightly integrated with your organization’s cybersecurity
stack. Any solution should integrate with privileged access manage-
ment (PAM) tools, IT service management and workflow engines for
ticketing, and other critical systems via a robust REST API or pre-built
plugins.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 19

Vendor compliance, security,
and services
A trusted and reliable PKI solution provider

Finding the right fit for your organization isn’t all about features and
functionality, especially if you’re evaluating a vendor to host and operate
your organization’s PKI. Look beyond the software; consider their
security posture, software supply chain, and compliance certifications.

To assess the value of any PKI solution, evaluation crite-

ria should also include:

Comprehensive compliance
Remember, PKI is critical infrastructure. Be sure that the CA software
and crypto libraries behind your new PKI solution are compliant with
industry-standard frameworks, which include FIPS and Common Crite-
ria certifications. Also, ensure that built-in logging capabilities are
designed to fulfill audit logging requirements for any audits that may
impact your PKI.

Regular audits and certifications

Beyond the software and technology, it’s just as important to evaluate
whether vendors are regularly audited and certified against industry
standards. Certifications may include SOC 2 Type II, FedRAMP, and
ISO standards for cloud-hosted services, as well as certifications with
industry-specific standards, such as PCI DSS and GDPR.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 20

 Software supply chain transparency For Siemens AG, trust
Transparency is the key to trust. Knowing the software components
is everything. PKI is
that go into your PKI solution gives you trust and confidence that you’re an essential building
making the right investment. Ask vendors for a software bill of materials block to establishing
(SBOM) to get full visibility into any third-party CA services, software, cryptographic trust
and crypto libraries they may use. Ideally, opt for vendors that develop
and operate their own CA software, crypto-libraries, and services to
across a growing
minimize supply chain risks. number of its prod-
ucts and enabling
Secure facilities and processes (SaaS) an enterprise-wide
zero-trust policy.”
If you are trusting a PKI provider to host and maintain your organiza-
tion’s root of trust, it better be secure. Ask hard questions about how
the root is created and where it is hosted, the security measures in Rufus Buschart, Head of PKI,
place to protect access to the root and issuing CAs — both physical and Siemens

virtual — and the processes in place to ensure that it remains secure

throughout its lifecycle.

Reliable service and global support

This may seem obvious, but it’s an important factor when you’re working
with critical infrastructure. Ask questions about the extent of techni-
cal and customer service support — and understand what you’re
really getting for your money. Important factors include 24/7 support,
response times, and available self-service training and documentation.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 21

04 IT and IoT environments are complex, and they will only become
more complex as organizations embrace connectivity to drive
growth and value. To establish trust in these increasingly complex
Deploy your environments, businesses rely on thousands — sometimes millions

PKI, your way, — of digital certificates to authenticate and verify the identity of
devices, workloads, and a growing number of connected things.

with Keyfactor To meet demand, IT and security teams need a new approach to
Deploy fast. Run anywhere. PKI. One that doesn’t add to the complexity, but instead simplifies
infrastructure and streamlines management while scaling with
Scale on-demand.
demand.

That’s where Keyfactor provides unmatched flexibility to deploy PKI however

and wherever your team needs it — whether in the cloud, in the
Keyfactor data center, or at the edge. It’s PKI your way.

comes in. Only Keyfactor delivers an integrated, full-stack solution for

PKI and certificate lifecycle automation that deploys fast, runs
wherever your business does, and integrates with virtually any
use case. It achieves this by helping you:

Deploy your way with the only PKI solution that runs
however and wherever you need it — in the cloud or on-prem,
turnkey or fully configurable, as a software appliance, a
hardware appliance with a built-in HSM, a container, in the
cloud, SaaS-delivered or a fully managed service.

Simplify PKI with a full-stack solution that combines every-

thing you need to run PKI in a single platform — certificate
authorities (CAs), registration authorities (RAs), validation
authorities (VAs), protocols and APIs, an administrative GUI,
audit and transaction logs, and a built-in database.

Meet any use case with a wide range of supported enroll-

ment protocols, certificate formats, algorithms, standards,
SOAP and REST interfaces, as well as a self-service RA
interface for application owners.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 22

 Scale without limits by running your entire PKI on a single
instance, segmenting CAs and RAs across multiple nodes
to improve security and availability, or cluster nodes for
massive scale.

Maintain compliance with detailed audit and transaction

logs, certifications for Common Criteria, CSfC, SOC 2 Type
II (hosted), and proven deployment in numerous ETSI/eIDAS
and WebTrust-audited environments.

Prevent outages and downtime with integrated lifecycle

management to discover, track, and manage certificates
issued from any public, private, or cloud-based CA, all from
one console.

Improve productivity and operational efficiency by

automating tedious, manual tasks, including certificate
renewal, provisioning, and installation across all of your
organization’s servers, load balancers, cloud workloads,
and more.

Stay agile with the ability to easily re-issue and renew

certificates from a new CA and support for a wide range
of algorithms, including RSA, ECC, and NIST candidate
post-quantum algorithms, to begin testing in your lab
environment.

PKI is an absolute foundational piece to what we’re

building. Without EJBCA, we couldn’t have what we
have. It is a key pillar of the future of our products.”

Jason Slack, Director of Engineering, Truepic

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 23

Next Steps Choosing the right PKI solution has never been more important.
Let your use cases, team skillsets, and risk exposure guide the
Find the right fit for your selection process, and no doubt you’ll find the right fit. Here we’ve
organization today provided tools and resources to help you take the next step.

Learn More Try it out

Discover how Keyfactor can help Ready to get hands-on? Keyfactor
you simplify PKI management, makes PKI and certificate management
reduce complexity, and scale easy and accessible for everyone, with
with the demands of modern IT open-source and trial-based versions
and IoT environments. available in the cloud.

Learn about EJBCA Enterprise (PKI) Try EJBCA on AWS

Learn about Command (CLM) Try EJBCA on Azure

Learn about Command for IoT Download EJBCA Community

Explore resources
Not quite ready to take the next step? No problem. Explore additional resources
to help you build the business case and map your path to success.

PKI Maturity Model ↗ Certificate Management Maturity Model ↗

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 24

Evaluate Keyfactor
Want to dive deeper in your evaluation?
Schedule a meeting with a Keyfactor expert
to discuss your use case and get a live demo
to see how our solutions can help you.

Speak with an expert ↗

Contact us
Keyfactor brings digital trust to the hyper-connected world with • www.keyfactor.com
identity-first security for every machine and human. By simplifying PKI,
• +1 216 785 2946
automating certificate lifecycle management, and securing every device,
(North America)
workload, and thing, Keyfactor helps organizations move fast to estab-
lish digital trust at scale — and then maintain it. In a zero-trust world, • +46 8 735 61 01
every machine needs an identity and every identity must be managed. (Europe)

For more, visit keyfactor.com or follow @keyfactor.