Recently I was engaged with a customer who decided to source certificates from a service provider rather than build a PKI. In this case the customer was limited in resources and an evaluation of build vs. buy showed this to be the correct approach in the near term.
While looking at the various offerings in the PKI Managed Service Offerings (MSO) space a key concern and issue came to light.
Who owns the private keys of the key pairs when they are obtained from a service?
In most cases, a customer is licensing “use” of the keys and certificates and not the actual key and certificates themselves. While at face value that might seem benign and inconsequential, consider the fact that if you do not own the key material, you might be encrypting data and signing documents with something you don’t own and have no longer term rights to use.
This could prove extremely important where an industry is governed by data retention rules such as financial institutions or health care as examples.
Let’s first look at the typical types of managed PKI services:
Service provider branded Certificates
Certificates sources from this type of service typically have the vendor’s information throughout the certificate, specifically in the naming of the certificate, the CDP locations, etc.
Customer branded Certificates
In this type of service offering, certificates are typically “branded” to the customer and they often look like they have been issued from the customer’s PKI however, they are usually issued off a shared infrastructure or at least a portion of a shared infrastructure.
Customer specific Certificates
In these types of services, the certificates are issued to the customer from a dedicated infrastructure including dedicated Root CAs, HSMs, OCSP servers, CRL servers, etc. However, the service provider provides all the maintenance, management and support related to the PKI. As a result, the certificates are specific to the customer and can be configured as required for the customer’s needs.
Let’s assume (for arguments sake) you need to retain copies of emails for 7 years and use S/MIME to encrypt some or all emails and you issue certificates for 3 years and the certificates are valid for 2 years.
First, you need to consider the end date with the PKI Service to be 2 years from the date of the last certificate. So the relationship is 5 years at this point. But you need access to the keys for 7 years to meet data retention requirements so the relationship is actually 12 years.
Let’s assume you are paying $250,000 for unlimited certificates and a “maintenance“ fees to allow access to the keys, CRLs and OCSP responders is 25% of the fee for the remaining 9 years.
Over the course of the 12 years that is $1,312,500 and you are likely still issuing certificates from somewhere else during the 9 years. That cost is not factored in.
Some important questions should be asked of the MSO PKI provider:
- Can the solution be moved in house in future? If so what is the anticipated cost and technical complexity.
- Are there elements of the service that could not be moved? What is shared in the infrastructure?
- Can I use my own URLS for CRLs.
- Can private keys for Encryption be escrowed at my site?
Needless to say this is not a complete list of questions but these questions are often overlooked and not asking them could lead to unexpected surprises. If the MSO can demonstrate a path that would allow you to bring the solution in house, it greatly reduces your dependency on the vendor and the overall risk to your organization.
When considering an MSO for your PKI, ask the tough questions. Think in terms of having to move to the PKI at some point in the future. Pay close attention to what you are licensing and what the actual cost is over the lifetime of the service and the particular needs of your organization.