"Looking for anyone that has done a cost benefit analysis, or just general consideration, of using a Public CA vs. a Private CA for a PKI deployment. Some vendors are becoming very competitive in this space and the arguments are all one-sided. So aside from cost, I’m looking for potential pitfalls using a public CA might create down the road."

My reply:

My previous assignment started out with building a PKI from scratch. I’d never done this before, so the customer took a gamble on me. I’m very grateful that they did, I learned a huge amount of cool stuff and the final setup turned out pretty nicely! I’ll try and tackle this in four categories.

UPSIDES OF PRIVATE PKI

You can run isolated from the world, you are fully self-reliant.
Certificates are “free”, you can makes thousands of certificates without paying someone a penny.
Very direct and short lines of communications, everything stays inside your company.

UPSIDES OF PUBLIC PKI

Managed services, you don’t have to worry about almost anything.

DOWNSIDES OF PRIVATE PKI

TCO, “One does not simply fire up a CA!”
Designing, building and managing a PKI is specialized work, your team will need training.
Designing, building and managing a PKI is more than just technology! You have to define processes and policies.
It’s very easy to make mistakes with long-term effects (ref. Mark Cooper’s "Top 10/20 PKI mistakes" presentation).

DOWNSIDES OF PUBLIC PKI

Costs, you pay per certificate.
Privacy, “certificate transparency” tells the whole world about the certificates issued to you.
Privacy, OCSP certificate validation sends traffic to the external OCSP validation hosts, giving information about your internal data flows.

If your infrastructure needs to be cut off from the outside world, you will HAVE to run your own, private PKI.

I’ve recently presented on the basics of PKI and on building your own PKI, be it for fun, for testing or production use. The most important take-away was: “If you’re going to do it, do it right!”. You do NOT simply fire up a Linux box with OpenSSL, or a single instance Windows Server box with ADCS and that’s that. If you’re going to do it right, you will define policy documents, processes and work instructions that are to be strictly followed, you’ll consider HA and DR and you’ll include HSMs (Hardware Security Modules). The latter are awesomely cool tech to work with, but they can get pricy depending on your wants and needs.

Remember: PKI might be cool tech, but the point of it all is TRUST. And if trust is damaged, your whole infrastructure can go tits-up.

kilala.nl tags: pki, work, sysadmin,

View or add comments (curr. 0)

All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.

Kilala.nl - Personal website of Tess Sluijter

About me

Blog archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

> Weblog

> Sysadmin articles

> Maths teaching

PKI: using a private versus a public ca