private CA (private PKI)
What is a private CA?
A private CA is an enterprise-specific certificate authority that functions like a publicly trusted CA. With a private CA, an enterprise creates its own internal root certificate that can issue other private certificates for internal servers and users.
Certificates issued by private CAs are not publicly trusted and should not be used outside of their enterprise's trusted members and infrastructure. A private CA is also known as private public key infrastructure (private PKI) or internal certificate authority.
Common uses of private CAs include:
- Intranet sites.
- Virtual private network (VPN) or wireless authentication.
- Device identification.
- Internet of things (IoT) projects.
An additional use of private CAs is securing communications between internal services and interoperable communications for third parties, including containerized or application program interface (API)-connected cloud environments.
Using private CAs for nonpublic endpoints
A CA vouches for the identity of every machine, user or code process in the infrastructure. Without this strong identity, attacks are possible, including man-in-the-middle (MitM) software programs that can steal information or issue false commands. This potentially results in data loss, security breaches or theft of funds.
In the case of public trust mechanisms, such as certificates used to secure web traffic, email and distributed code, issued certificates follow a cryptographic chain up to public CAs. In the case of a private CA, the enterprise sets itself up as the ultimate source of truth on which devices, users or processes are trusted inside the network.
In the past, enterprises commonly used the Microsoft CA tool for Windows machines or anything in the Microsoft technology stack. Microsoft CA was free and integrated with Active Directory (AD), so it was well-suited for these uses. In recent years, trends like mobile device support, including bring your own device (BYOD), IoT, cloud and DevOps, have forced the use of non-Microsoft OSes at large scale for business-related applications. These architectures require the adoption of other private CAs, including aftermarket private CA applications from IT security vendors.
The need for certificates controlled within the enterprise continues to grow. Many use cases are not appropriate for publicly trusted certificates, so enterprises must issue certificates from their own trust structure for these circumstances. Commercial private CAs can help enterprises reduce risk and aid compliance by following PKI, cryptography and IT security best practices, such as tracking and automating the renewal of deployed certificates. Private CA use can also increase the speed to market and agility by enabling administrators to manage certificates and practices rather than creating their own PKI from scratch. This frees up employees for other tasks because many administrative tasks for internal certificates can be automated.
Containers, multi-cloud, IoT and other contemporary computing architectures are greatly increasing the number of certificates required, which in many cases reduces the lifespan of the average certificate. In these architectures, automation is a requirement for certificate deployment and management. Failure to implement strong identity practices for internal systems creates a risk for data theft or other catastrophic breaches.
Editor's note: The article was written by Jason Soroko in 2019. TechTarget editors revised it in 2023 to improve the reader experience.
