The following sections introduce some of the most interesting solution areas and cover what you need to set up, what to check and how to get your PKI up to a world-class standard.

Issuing TLS Certificates

Issuing TLS certificates is a common use case including both public providers of TLS certificates and enterprise PKIs needing to provision TLS server certificates internally. In this solution, you strive for short-lived certificates and as much automation as possible and have high requirements on OCSP and CRL generation.

Since this public key infrastructure (PKI) is going to be exposed to the internet, domain security is of dire importance. EJBCA allows outward-facing nodes (Registration Authorities (RAs) and Validation Authorities (VAs)) to not only be connected to the certificate authority (CA) through mutual TLS but also with the CA behind a one-way firewall. Multitenancy support allows all your sub-organizations and divisions to share the same PKI infrastructure with extensive domain security in place to ensure that security silos are kept intact. For more information on how to set all this up with EJBCA, see Issuing TLS Certificates.

Securing Your Microsoft Environment with EJBCA

The Microsoft platform is one of the most prominent Enterprise environments globally, serving both servers and workstations. But while the Microsoft ecosystem is truly as mature as it is ubiquitous, Microsoft's own PKI, Microsoft Active Directory Certificate Services (AD CS), does not always grow in scale with your solution. You can solve that by leveraging EJBCA as the PKI backend instead of the Microsoft Certificate Authority (CA). Not only do you gain the power of one of the worlds best PKI tools in your environment, but you can save both cost and work by having a single EJBCA instance handle the entire PKI of your organization across all forests, domains, and trees, instead of having to maintain a separate Microsoft CA per domain.

With EJBCA's Auto-enrollment functionality your clients' user experience does not change, while your administrators will be overjoyed. Employing EJBCA as the CA backend for your Microsoft environment eliminates the need for a Microsoft CA and Microsoft Certificate Services. To learn how EJBCA integrates into your infrastructure via Microsoft Auto-enrollment and support for Intune and HSMs, see Securing Your Microsoft Environment with EJBCA.

IoT and Device Identities

Whether you're producing radio base stations (eNodeBs) or security gateways for telecom solutions, the latest Internet of things (IoT) devices, or connected cars - if your device communicates via the internet and especially if it is produced by an outside supplier, you are going to want to use PKI to secure communications, ensure the identity of your devices and make sure that only your devices can connect to your network. Your issuance is likely going to be completely automated and fortunately, EJBCA provides support for nearly all enrollment protocols. To find out which setup fits your needs the best, see IoT and Device Identities.

Go Big! Using EJBCA as a Large-scale Enterprise PKI

Are your certificates counted not by thousands but by the millions? EJBCA is built for scale. Through some tweaks and configurations, EJBCA's issuance and OCSP response volumes can handle PKI on a global scale. If your PKI requires world-class performance, then EJBCA is your choice.

If your problem is scale and your current PKI solution is not be able to handle the volumes and throughput of your needs, see Using EJBCA as a Large-scale Enterprise PKI to find out how EJBCA can be tuned to handle even the world's biggest PKIs. 

Issuing eID Certificates and Signing ePassports

PrimeKey has over 20 years of experience in issuing certificates for tokens and cards for both X509 and Card Verifiable Certificates (CVC), and EJBCA PKI together with PrimeKey's SignServer form the technology base of many passport authorities worldwide.

EJBCA implements several PKI services that can be included in an ePassport PKI solution, such as Country Signing Certificate Authority (CSCA), Card Verifiable Certificate (CVC) CA, and Document Verifier CA (DVCA). To find out more and how to set these up, see Issuing eID Certificates and Signing ePassports.

PKI and Signature Services for Microservices and DevOps Environments

Microservices as an architectural approach to software development are based on building an application as a collection of small services, typically orchestrated by an automated system. Adoption of microservices is related to the use of DevOps, continuous integration and continuous delivery (CI/CD), and containers. 

One aspect of microservices is deploying and managing large numbers of services. These lightweight servers create the need to automate the configuration of servers and applications, including the security keys and credentials needed. It is not only about running the PKI products in a DevOps environment but also about managing (non-PKI) applications in a DevOps environment securely, providing applications with certificates, digital signatures, and credentials as services are created and destroyed. To find out more, see PKI and Signature Services for Microservices and DevOps Environments.

Deploying PKI and Signature Services in DevOps Environments

When deploying a PKI, whether it is a single centralized PKI, multiple distributed PKIs, or perhaps short-lived PKIs for specific purposes, it is suitable to do so using the same tools and processes used for the rest of your environment. Two common tools used are Ansible and Kubernetes, and EJBCA plays well with both.

To learn more about how to deploy your PKI as VMs or containers and use Ansible to automate PKI deployment and configuration, see Deploying PKI and Signature Services in DevOps Environments.

Hybrid PKI Deployment for Modern Manufacturers

The demand for PKI consolidation is apparent when seeking PKI governance in a multi-PKI environment. But as the necessity for PKI services expands over new use cases and compliance and availability requirements, there will always be a need for PKI silos. Thus, you need to standardize and streamline policy and operations across multiple silos to regain governance and minimize maintenance and risks.

To maintain central PKI governance and uphold control and security policy across the whole organization, it is key to consolidate PKIs and HSM usage when possible and automate the installation and configuration of PKI deployments. To find out more about how a flexible implementation of PKI can support both silos and centralized models or deployments, see Hybrid PKI Deployment for Modern Manufacturers.

PKI for 3GPP

Using the Certificate Management Protocol (CMP) together with the 3rd Generation Partnership Project (3GPP) technical specification allows a device to automatically provision itself with a device certificate without the vendor being required to expose their full PKI to the manufacturer. 

A typical use case is an IoT device vendor, whose devices are manufactured by a second party, and the vendor requires the devices to be enrolled to their PKI. The vendor may wish to prohibit the manufacturer from producing their own pirated devices that connect to the vendor's PKI, or is simply unwilling to expose their PKI directly to the manufacturer to enroll the devices on site. To learn more about the CMP 3GPP standard and enrollment using device certificates through CMP with 3GPP, see PKI for 3GPP.