The Public Key Infrastructure (PKI) market is full of effective vendors offering powerful solutions for a variety of organizational needs. But with so many different capabilities and specialties, it can be difficult to determine which PKI is the best fit.
We have taken time to compile many of the most reputable vendors and categorize them based on their most effective deployment solution. While every PKI vendor provides an effective solution, some may provide a solution better tailored to your organization.
PKI For Developers
Red Hat provides a full-service operational PKI that integrates with major 3rd party APIs. Their API management software is able to integrate technologies and applications across all platforms and cloud environments. The many functions your APIs provide will seamlessly transition to the working PKI.
The Certificate System from Red Hat provides a functional method of managing the certificate lifecycle for your organization. A developer can customize the type of enrollment, authentication, and the certificate profiles associated with the certificates that are distributed. There are multiple avenues for enrollment and a method provided that allows for the renewal of certificates. Additionally, Red Hat supports both a CRL and Online Certificate Status Protocol (OCSP) for certificate revocation and accurate rejection of revoked certificates sent for authentication.
To manage the many moving parts associated with a certificate-driven network, the Red Hat Directory Server offers a server that centralizes the management of users. It is an open source LDAP-compliant server that centralizes user profiles, group data, network policies, access control information, and various application settings. But the entire Red Hat experience encompassed within all these various tools and applications can be complex. Many organizations find that they need a team of crypto experts with previous Red Hat experience to implement their PKI and use it to its fullest capabilities.
Amazon Web Services (AWS)
AWS PKI offerings revolve around two different products: AWS Certificate Manager (ACM) and AWS Certificate Manager Private Certificate Authority (ACM PCA). ACM provides a means for developers to generate, issue, and manage public and private certificates with AWS-based websites and applications. The certificates provided can be used to authenticate the identity of multiple internal entities and can be configured to secure multiple domain names.
ACM PCA provides a managed private certificate authority (CA) which can be used to manage your CA infrastructure and private certificates. It will provide security, configuration services, and monitoring of your private certificates. The certificates are authenticated securely for users, web servers, VPN, API endpoints, and IoT devices.
One downside to AWS is that Private CA’s are only available in one region, US West (Oregon). This would require organizations to set up a backup CA somewhere on-premise or acquire one from another CA provider (we have provided this for customers in this exact scenario).
ACM and ACM PCA combined provide a single console interface to manage, monitor, and create reports on the status of all certificates issued from the CA. Developers are able to assign detailed permissions and segment access across the network using tools provided by AWS.
Website/Server SSL Generation
Digicert is able to offer different types of SSL certificates to accommodate any organizational structure and fulfill their specific needs. They provide a detailed configuration for every Platform/OS combination to equip the organization with the visibility and security benefits they expect; and they will accommodate a range of encryption bit lengths based on what the specific browser requires.
To monitor and track their certificates, Digicert developed the CT Log Monitoring service. Since it is a cloud-based software service, there is no infrastructure to set up or maintain overtime. Network admins are able to monitor public CT (Certificate Transparency) logs provided by SSL certificates. The cloud service reduces the time spent monitoring certificate logs by providing email alerts for issued SSL certificates.
The SSL certificates provided by Global Sign are compatible with all major browsers and devices, providing excellent security without compromising the user experience. They provide several different SSL certificates, but we will focus on two: IntranetSSL and CloudSSL.
IntranetSSL secures internal servers, applications, and IP addresses that are not public facing. They allow for configurations and customizations not allowed on public certificates. CloudSSL is a distribution service for cloud-based service providers to easily and efficiently provision SSL certificates. Because of the ease of this lightweight solution, it is scalable for long-term provisioning for the organization.
The management software provided by Global Sign allows network admins to monitor and analyze all the internal and public certificates in one place. It is a single place to control the certificate lifecycle from issuance to expiration. And certificates that are not in compliance with enterprise policies and quickly detected and remediated.
Personal Website SSL Generation
Certbot is an open-source software tool for distributing certificates onto private websites to enable HTTPS. It generates the private key on your servers and is managed overtime by the certificate owner. The website can be provisioned with a certificate easily and requires no down time for your web server to be equipped. The Certbot website provides detailed information to manage the entire certificate lifecycle, as well as information on the many platforms and OS supported.
Let’s Encrypt / Bitnami HTTPS Configuration Tool
If you’re hosting a Website on an AWS EC2, Bitnami provides the tools for users to self-configure their personal websites with SSL certificates signed by Let’s Encrypt. The Bitnami HTTPS Configuration Tool comes with a comprehensive guide to provision certificates on a huge number of OS and platforms. Their management software also provides the tools to manage the certificates throughout the lifecycle, and easily renew or replace them when certificates meet their expiration date.
Really Simple SSL
If you have a WordPress website, Really Simple SSL is one of the most popular and easiest ways to get your website set up for HTTPS. However, it does require you to generate your own certificate, but that’s pretty easy. This might be the most popular tool on the list, as it has over 4 million installs.
Wi-Fi, VPN, Web Applications
Active Directory Certificate Services (AD CS)
Microsoft’s AD CS PKI solution provides a platform to build and implement a PKI that works natively only with Group Policy (GPO) to deploy certificates on AD-managed devices. It requires the use of an onboarding software to provision the managed devices, but currently does not have a solution available for BYOD devices. Additionally, the solution is not compatible with macOS devices.
Despite all of this, AD CS is still used in a lot of environments today. This is mostly due to it being easily available and organizations relying on legacy Microsoft infrastructure (NPS, AD, GPO) that AD CS is compatible with. AD CS is starting to lose popularity however, as it’s designed to be used on-premise and more organizations are moving to the cloud.
AD CS provides several tools to create an efficient system for certificate provisioning and management. Auto-Enrollment Policy for AD-managed devices allows admins to renew certificates before expiration, and Network Device Enrollment Service (NDES) is designed to limit the necessity of passwords for certificate enrollment. It’s effective if you have all Windows computer labs or servers. While AD CS provides many tools to create an efficient certificate experience, it requires a full team to manage, a lot of training, and expertise to deploy the on-premise solution.
PrimeKey provides a turnkey PKI Appliance and cloud PKI for efficient distribution and management of certificates for a number of authentication purposes. EJBCA Enterprise issues certificates to network users, infrastructure components, and IoT devices for secure authentication. It provides detailed, signed audit and transaction logs, role-based authorization, and extensive support for hardware security modules. And to revoke certificates, PrimeKey supports the use of CRLs or OCSP based on the needs of the organization
There are three flexible deployment packages provided by PrimeKey: Software Appliance, Hardware Appliance, and EJBCA Cloud and SignServer Cloud. Software Appliance is a PKI solution deployed in your data centers and uses native resources to set up an HSM-secured PKI. Hardware Appliance is a turnkey solution that includes all the required software and hardware to deploy an on-premise PKI. And EJBCA Cloud and SignServer Cloud is a PKI and signing solution in the cloud that needs no hardware and provides required software on a Public Cloud like Azure or AWS. In addition, hybrid solutions can be created to enable cloud functions, on-premise software, and hardware deployments.
While PrimKey’s PKI solution is an excellent certificate management tool, it does not provide an onboarding software for efficiently distributing certificates to devices. The certificates are secure and authentication is protected by server certificate validation, but it requires either manual configuration by end users or IT staff; neither of which is an efficient solution.
SecureW2 provides a turnkey Managed PKI solution that provides everything needed for certificate-hardened security. Our powerful HSM protects the PKI and ensures that every certificate issued by us can be trusted. The cloud-based solution easily integrates with network infrastructure from every major vendor and does not require forklift upgrades.
The management software is everything you need to manage an Enterprise PKI from the cloud. Network admins can identify users and their devices, easily manage and segment network access, and view security reports. They can create custom certificate templates and identity-driven issuance policies to control who has access to what within the network. Also, Base and Delta CRLs are automatically created for each CA so you can easily revoke certificates and control who has network access.
SecureW2 is also the only vendor in the industry that provides simple and secure solutions for getting certificates on devices. The SecureW2 self-service onboarding solution works with every major OS and BYOD device vendor, so no network user will be without a certificate.
The JoinNow onboarding solution provides an incredibly easy and efficient client for provisioning devices with certificates. Users need only complete a few steps, and in minutes they are correctly configured for EAP-TLS authentication. And for managed devices, our SCEP and WSTEP Gateways can easily integrate with any MDM in the industry, or be used with our IoT Platform, to distribute certificates with no end user interaction required.
Email Encryption and Verification
Secure/Multipurpose Internet Mail Extensions, or S/MIME, is an IETF standard for public key encryption and digitally signing MIME data. It uses a PKI to enroll an email client for certificates, and then use those certificates for authentication and encryption of email messages. Some organizational PKIs that can support S/MIME include:
- Global Sign
The capabilities and strengths of various PKIs demonstrates that the vendor decision is incredibly complex and should be thoroughly researched before a final choice is made. Each vendor can provide a different solution, so it’s important to research your own organization and fully understand the needs that you will face when working with certificates. Check out SecureW2’s pricing page to see if our comprehensive PKI solution is the correct fit for your organization.