private CA (private PKI)
Private CA (Private certification authority) is an enterprise-specific certification authority that functions like a publicly-trusted CA. Essentially, an enterprise creates its own private base certificate which can issue other private certificates for internal servers and users. Certificates issued by a Private CA are not Publicly trusted and should not be used outside of the enterprise’s trusted members and infrastructure. Private CA is also known as Private Public Key Infrastructure (Private PKI) or internal Certificate Authority.
Common uses of Private CA’s include:
- Intranet sites
- Virtual Private Network (VPN) or wireless authentication
- Device identification
- IoT (Internet of Things) projects
- Secure communications between internal services and interoperable communications between third parties including containerized or application program interface (API) connected cloud environments.
Using private CAs for non-public endpoints
A certificate authority ultimately vouches for the identity of every machine, user or code process in the infrastructure. Without this kind of strong identity, attacks are possible whereby man-in-the-middle (MitM) software programs can steal information or issue false commands, potentially resulting in, but not limited to, data loss, security breaches or theft of funds. In the case of Public trust mechanisms, such as certificates used to secure web traffic, email and distributed code, issued certificates follow a cryptographic chain up to Public CAs. In the case of a Private CA, the enterprise sets itself up as the ultimate source of truth on which devices, users or processes are trusted inside the network.
In the past, enterprises commonly used the Microsoft CA tool for Windows machines or anything in the Microsoft technology stack. Microsoft CA was free and integrated with Active Directory (AD), so it was well suited for much of this use. In recent years, trends like mobile device support, including bring your own device (BYOD), internet of things (IoT), cloud and DevOps have forced the use of non-Microsoft operating systems at large scale for business related applications. These architectures have required the adoption of other Private CA offerings, including aftermarket Private CA applications from IT security vendors.
The need for certificates controlled within the enterprise is growing. Many of the use cases are not appropriate for publicly-trusted certificates, so enterprises must issue certificates from their own trust structure for these circumstances. A commercial Private CA offering can help an enterprise reduce risk and aid compliance by following the best practices of Public Key Infrastructure (PKI), cryptography, and information technology (IT) security, including tracking and automating the renewal of deployed certificates. The use of private CAs can also reduce the speed to market and increase agility by allowing network administrators to manage certificates and practices rather than creating their own PKI from scratch. This, in turn, can free employee time for other tasks because the majority of administrative tasks for internal certificates can be automated.
Many of the architectures driving the increased use of certificates are still in their early days. Containers, multi-cloud, IoT, and other contemporary computing architectures are greatly increasing the number of certificates required, which in many cases is reducing the lifespan of the average certificate accordingly. In these architectures automation is a requirement for certificate deployment and management. Failure to implement strong identity practice for internal systems creates a risk for data theft or other catastrophic breaches.
