Private PKI Certificate Issuance

With KeyTalk, the use of expensive public certificates for internal purposes is a thing of the past. You can also say goodbye to the limited functionality of for example Microsoft CS and other private CAs.

With KeyTalk’s internal CA, you can generate free (!) private certificates for internal use. Examples are S/MIME or VPN authentication for users and SSL/TLS authentication certificates for servers and network devices. Even if it involves hundreds of thousands of certificates per year. This will result in considerable cost savings compared to expensive public certificates.

Private Certificate Issuance in practice

KeyTalk’s private Certificate Authority (CA) can issue certificates to any end-point that can contact the KeyTalk server. Unlike Microsoft’s Certificate Server, this is not tied to the network domain.

The private CA can issue certificates for people, PC’s and laptops, servers, network equipment and IoT devices. So, you are not limited to one certificate template: you can create thousands of them, each for their specific purpose.

Issuing certificates can be achieved (semi) manually via a delegated admin or Mobile Device Management (MDM), or via our KeyTalk clients. If required, certificate issuing protocols such as ACME, SCEP, CMPv2 are supported.

By default, the KeyTalk CKMS will create the Certificate Signing Request (CSR) itself and ensure sufficient key entropy. If a (delegated) admin so desires, CSRs can also be generated end-point side or offline and (semi-)automatically imported. The CSR is signed by the KeyTalk Private CA, resulting in a PEM, P12, DER or P7B that can be used at the end-point.

Also, with the KeyTalk Private CA, the KeyTalk Clients ensure that certificates are requested, installed and activated fully automatically, without the downtime of the end-point. Of course within the limitations of the OS and the higher-level target application.

KeyTalks Private CA can issue both classic long-lived certificates and short-lived (temporary) certificates. The minimum validity is 1 second, the maximum validity is several years to the maximum of the validity of the Signing CA.

Technical details

In order to issue private (self-signed) certificates, you would require a CA that is unique to the organization. The KeyTalk private CA has a hierarchy that can be generated under an existing root or its own root. In addition, we offer:

The end-point certificates are issued under the Signing CA, where the admin can create multiple certificate templates (services) with different configurations for Key Usage (KU), Extended Key Usage (EKU), Object Identifiers (OIDs), standard subject, CRL/CDP/OCSP/IAI, standard lifetime, etc.

The certificates and the private keys that belong with them of the Root/Primary/Signing/Communication CA can, of course, be generated by a local or cloud HSM on one slot/partition or divided over multiple slots/partitions.

If there is no need for an HSM from a compliance point of view, or if the budget does not allow an HSM, the KeyTalk private CA can also store the private keys locally. This is an inexpensive and fully functional alternative.

The default settings of KeyTalks certificate templates can be overwritten by unique data, linked to the Registration Authority (RA). Often, this is for example the KeyTalk internal database, the LDAP, the Active Directory, a MySQL Db. Through certificate attribute mapping, you can easily get unique data belonging to specific end-points in the issued certificate. For example, the Subject Alternative Name (SAN) will often be conducted from the RA, but also the KU, EKU, CN and much more.

Would you like to know more?

Do you wish to be provided with a demo, Proof of Concept or directly technical in-depth consultation with one of our PKI experts? Feel free to contact us, we are happy to think along with you!