EBOOK

PKI Maturity
Model
A Practical Guide to Modernize PKI
Read before you start
Public key infrastructure (PKI) isn’t anything new. It’s been around for decades. Begin-
ning as the trust engine behind the internet, it is now ubiquitous in every business to
authenticate and establish trust in each device, workload, human, and connected thing.

As critical as it is for security, PKI is often disjointed and misunderstood. Someone sets
up a Microsoft CA or installs OpenSSL, and they say they’re “doing PKI.” The problem
with this overly simplistic definition is that it creates a disparate approach, where PKI
is a “tool” versus a strategic asset – making it extremely difficult to govern and secure.

The reality is that PKI isn’t just software. It’s critical infrastructure that requires
processes, policies, infrastructure, the proper tooling, and people to manage it. To
establish trust and better support business initiatives, organizations need a deeper and
broader understanding of how PKI is used across different teams and applications, then
develop a strategy for how it should be designed, deployed, and managed to match those
needs (and future needs).

There’s just one problem – well, maybe a few.

For starters, cybersecurity skills aren’t exactly a dime a dozen. Many IT and infrastructure
groups don’t have the headcount or the skillset on their team to handle PKI. Either that or
the one person who knew how to run it switches roles or moves on, and suddenly you’re
left with a PKI “hot potato” to pass onto the next IT admin in line.

Meanwhile, the move to the cloud, containers, and microservices, combined with the need
to support remote work and IoT devices, only increases the demand for PKI. A recent
report shows that 53% of organizations don’t have enough staff to maintain PKI, yet the
average company has nine different PKI solutions they need to manage.

The worst part is, in many cases, the team responsible for managing PKI is set up for
failure right from the start, tasked with building a modern solution using tools and software
from the 2000s (you know, back when we were playing Snake on our retro mobile phones).

Bottom line: it’s time for a modern, agile, resilient PKI strategy.
It’s not all bad news. PKI has come a long way since its inception. New technologies have
emerged, standard protocols and well-documented guidance are now widely available,
and PKI practices have evolved to meet modern requirements.

That’s why we’ve built this maturity model. Whether you’re new to the space or an experi-
enced practitioner, this guide will help you measure your current maturity level against
advancements in PKI practices and help you establish a new foundation for an agile and
modern PKI that can scale with your business.

2
Table of contents

Introduction 4

Understanding and assessing PKI maturity 5

The path to PKI maturity 6

Level 0: Ad Hoc 8

Level 1: Limited 10

Level 2: Foundational 12

Level 3: Transformative 14

Level 4: Resilient 16

How to Get Started 17

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 3

Introduction
As the IT and threat landscape evolves, your cybersecurity efforts must Author:
follow suit. With PKI serving as the foundation of trust for your business,
you must ensure that it can handle anything that comes its way. Ryan Sanders
Product Manager
Whether your organization’s PKI is run by a team of one or two or a 24x7 Keyfactor
operation, advancing maturity will help improve overall security posture,
drive efficiency, and become fast and agile in response to the changing
needs of the business. This guide explores Keyfactor’s PKI Maturity
Model (PKIMM), which explains how to measure the effectiveness of Subject Matter
PKI operations.
Experts:

In this guide, you will learn: Bryan Uhri

PKI Product Manager
Keyfactor
• How to understand and measure the operational excellence of PKI
• How to evaluate your organization’s PKI maturity and where to start Chris Hickman
• The five levels of the Keyfactor PKI Maturity Model (PKIMM) Chief Security Officer
Keyfactor
• The potential risks and setbacks of not improving PKI maturity

Neal Fuerst
Sr. Director, Federal
Compliance, Keyfactor

Sven Rajala
Sr. PKI Solutions Engineer
Keyfactor

Ted Shorter
Chief Technology Officer
Keyfactor

Tomas Gustavsson
Chief PKI Officer
Keyfactor

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 4

Understanding and
assessing PKI maturity
Keyfactor’s PKI Maturity Model (PKIMM) is based on research and conversations with enterprises across indus-
tries and has been validated by practitioners, analysts, and thought leaders. It’s a high-level framework for
assessing the current state of your organization’s PKI capabilities and effectiveness, creating a plan to improve
them, and measuring ongoing success and business value at each stage.

The first step to maturity is understanding the critical capabilities required to support a best-in-class PKI. This
assessment evaluates six critical categories: reliability, efficiency, security, governance, agility, and strategy.

Reliability Efficiency
Ability to provide resilient, high-performing, and Ability to efficiently operate PKI, including config-
scalable infrastructure (the “I” in PKI), which includes uration, installation, maintenance, certificate
CA software, servers, revocation, etc. management, and required staffing and resources.

Security Policy & Governance

Ability to define and enforce adequate security Ability to make policy-based decisions, continuously
controls for PKI and proactively identify and remedi- monitor PKI posture and consistently adhere to
ate security risks and incidents. established policies and procedures.

Agility Strategy
Ability to deliver CAs and certificates seamlessly to Ability to plan and deliver on capabilities that align
support new use cases and standards, which requires with the overall strategic initiatives of the business,
extensibility, self-service, and CA-agnostic support. with a focus on enabling digital transformation.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 5

 Mapping the path Understanding your PKI landscape and evaluating
critical operational and security capabilities enables

to PKI maturity you to identify where your organization is today and

learn how to best focus your efforts and investments.
This approach ultimately positions you to better
support the business and deliver value.

Level 0: Level 1: Level 2: Level 3: Level 4:

Ad Hoc Limited Foundational Transformative Resilient
Trust & Security →

Disparate, fragmented CAs A basic PKI that meets Well-documented, policy- Unified, strategic PKI Highly reliable, extensible,
and PKI tools with no clear minimum requirements, backed PKI infrastructure program with a vision and and seamlessly scalable
ownership partial ownership with dedicated ownership widespread adoption infrastructure

Teams issue and manage Improved security Basic observability and Integration with other Continuously tested disas-
their certificates without practices, but no policy or monitoring of PKI and PKI and CA technologies, ter recovery and business
oversight documentation certificate landscape tailored user guidance continuity plans.

High risk of outages and Reliance on legacy PKI Partial adoption but limited Automation and self-ser- Fast adoption of new
security incidents software with minimal integration and automation vice capabilities that drive cryptographic standards
extensibility and scalability capabilities efficiency and technologies

Operational Efficiency & Agility →

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 6

When mapping your
organization’s path to PKI
maturity, remember:

PKI maturity isn’t linear

PKI is one of those things where you have exactly one chance to
build it right – at design. Conversely, to build upon a poorly archi-
tected PKI is to build a house on a cracked foundation. For this
reason, moving from one level of maturity to another often requires
a complete rebuild or migration, particularly at the lower levels.

PKI maturity isn’t permanent

PKI maturity can be broken just as quickly as it is built. All it takes is
one misconfigured template or abuse of PKI privileges to degrade
the level of trust and assurance in your organization’s PKI, which
could require lengthy remediation or an entire rebuild, depending
on the severity of the incident.

PKI maturity can vary

These different levels seem clearly delineated, but they’re not.
In reality, PKI can be messy and fragmented. One group could
have a well-architected PKI, while another uses OpenSSL without
restraint. Achieving PKI maturity demands an enterprise-wide
strategy.

PKI maturity is a lifecycle

There is no finish line. PKI maturity is a continuous process of
assessment, investment, and re-assessment. New standards,
threats, and technologies will require organizations to evolve their
strategy to maintain trust constantly.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 7

LEVEL 0:

“Doing PKI” without PKI

(Ad Hoc)

DIY PKI and CA tools • No clear ownership • High risk of compromise

At level zero, PKI is an afterthought. It’s not well understood, there is no

clear ownership or accountability, and at the same time, it’s being used Reliability
everywhere in the organization. That’s because virtually every team in High risk of outages and
operational downtime.
IT needs digital certificates to do their job. Still, most don’t understand
the tools, infrastructure, and policies required to issue and manage
them properly (aka PKI).
Efficiency
Inefficient and fragmented tools
So, what happens? It’s the Wild West. The Active Directory (AD) team with no clear ownership.
may have a PKI to handle basic use cases like device authentication,
but for the most part, every team has its way of “doing PKI.” Some buy
certificates from an SSL/TLS vendor, some stand up their own certifi- Security
cate authority (CA), and others use accessible open-source tools and High risk of security incidents
and audit failures.
PKI utilities for convenience. It’s not PKI; it’s a hodgepodge of CAs and
tools.

Policy & Governance

At this level, PKI seems deceivingly easy. Just a couple Google
No centralized visibility or
searches and a few clicks on the “next” button, and you’re ready to issue operational oversight.
certificates. However, when it comes to PKI, you have one chance to
get it right – at implementation. Improper policies, weak algorithms, or
using the wrong key sizes can create issues down the line. If mistakes Agility
are made early on, parameters are more or less set in stone, and a Ad hoc adoption on a per-
application basis.
complete rebuild becomes the only way to fix it.

Strategy
No defined strategy or role
within the modern IT stack.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 8

How to recognize if you’re at level 0 Risks of Ad Hoc PKI:
In level zero, there is no centralized PKI operation. Teams at this level Operational downtime
often see PKI as a “necessary evil.” No one consults with security or A system-wide outage could occur
if a CA server goes down or a CRL
compliance groups before implementation. Instead, application owners is not published correctly.
stand up a CA to issue certificates, often with little knowledge of how it
works. Then, they’re on the hook when something goes wrong but don’t Outages
know how to fix it. Certificates issued from unknown
or rogue CAs expire and cause
application outages.
The problem is that every team, from IT and sys admins to infrastructure
and application teams, needs PKI, but it’s not their primary skillset. The
Security incidents
result is that there’s no consistency in policy, if any at all, and critical
Default configurations and mishan-
components such as CA architecture, root key material, and templates dled private keys create a high risk
of compromise.
go ignored or overlooked, creating a high-risk scenario. For example,
root key material is left unprotected on a flash drive or local drive,
putting the entire PKI at risk.

Moving past level 0:

Establish PKI ownership

There’s no path to a higher level if you’re at level zero. PKI operates on
trust, and if that trust isn’t established, or worse, it’s compromised, the
only way to fix it is to start over. The biggest risk here is having a false
sense of trust in PKI and building upon it. It’s time to start fresh, and to
Key
do that, you’ll need to: consideration
If you’re leveraging
• Acknowledge whether you have the expertise in-house to build
open-source or freeware,
and maintain PKI, or if you need to consider a new hire, consultant
it’s essential to consider
support, or a vendor
whether you have all the
• Define ownership over internal PKI, which at this point is typically capabilities and support
the AD or infrastructure team (security typically manages public- you’ll need to deploy and
ly-trusted certificates) manage a PKI that can
• Identify piecemeal tools and start documenting how different IT and support enterprise-wide
application owners implement PKI processes and handle certificate requirements and policy.
requests
• Invest the time and effort to plan and architect an enterprise PKI
that is designed to expand with the business over time (don’t skip
to CA installation)

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 9

LEVEL 1:

Doing PKI with the

bare minimum
(Status Quo)

Bare minimum PKI • Minimal policy & security • Shadow IT

Welcome to level one. At this stage, PKI is a recognized component

in the enterprise security stack, but it’s not yet reached the status of Reliability
critical infrastructure. One or two individuals – often within the AD or PKI is not adequately resourced
or well-maintained.
infrastructure group –may be responsible for PKI, among other respon-
sibilities. They aren’t necessarily experts, but the responsibility was
assigned to them, or they inherited a PKI that a previous employee built.
Efficiency
Inefficient and manual processes
At level one, PKI meets the minimum standards for security, including result in shadow IT.
an offline, air-gapped root of trust, use of hardware security modules
(HSMs) to protect CA private keys, and a general framework for who
is allowed to access the PKI, create CAs, and issue certificates. The Security
problem here isn’t setting the policies; it’s documenting and enforcing A centralized PKI is established
but not well-adopted.
them.

Old habits die hard. Multiple teams will still use non-compliant methods
Policy & Governance
to get certificates (aka shadow IT), either out of ignorance or inten-
Lack of centralized control
tionally skirting slow and tedious PKI processes. Either way, there are and documented policies.
still unmanaged and unknown CAs out there that create unpredictable
risks for the business.
Agility
Overall, PKI at this level still feels like a pain for very little gain. There’s Not able to quickly identify or
support new business initiatives.
no real strategic direction or alignment to business initiatives, it just
“exists.” And without well-documented policies and procedures, a
simple misconfiguration or shortcut could compromise the PKI and move
Strategy
right back to level zero.
Partial ownership but no clear
strategy or vision.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 10

How to recognize if Risks of Status
you’re at this level Quo PKI:
Most organizations at this level rely heavily on traditional tools, such as Configuration drift
Active Directory Certificate Services (AD CS) and auto-enrollment, to Administrators take shortcuts and
make ad hoc changes until their PKI
handle the day-to-day PKI functions. It works for basic use cases, but is no longer consistent with the
organization’s requirements.
it isn’t very scalable, and it’s rarely well-maintained.

As organizational needs expand, you are left pushing the boundaries of Policy decay
current solutions, often to their breaking point, or procuring expensive Undocumented policies and proce-
dures quickly decay, increasing the
ad hoc point solutions that ultimately only solve a specific need. risk of an audit failure or security
incident.

The biggest challenge at this level is governance. A team builds a well-

architected PKI, but the procedure and process behind it sit in their Staffing changes
memory rather than well-documented policies. If they leave the organi- Without guidance and training,
a shift in staff often results in PKI
zation or move into another role, all of that knowledge leaves with them. being left shorthanded with little
to no direction for its new owner.

Without proper care and feeding, configurations drift further from the
standards set when the PKI was initially built. For example, a common
mistake is plugging the root CA into the network, even just for a few
minutes, to patch the server or publish a certificate revocation list
(CRL). Suddenly, the level of assurance in your organization’s PKI has
been diminished.

Moving past level 1:

Rebuild or reinforce the foundation

If your organization is at level one, you’ll need to assess whether you
can build upon your existing PKI or if a rebuild is required. If PKI config-
urations have drifted from set policies or the underlying CA software is
insufficient, it’s time to migrate or lay a new foundation. To move to the
Key
next level, you’ll need to: consideration
At this point, you’ll need
• Assess your PKI solution stack – check for vulnerabilities, re-evaluate
to consider whether you
business requirements, and evaluate alternative solutions.
have the skillset and
• Invest in training and documentation, such as a formal certificate solution stack to architect
policy and certificate practice statement (CP/CPS), to establish and build a proper PKI
and maintain assurance levels. that can support what the
• Establish visibility and observability of all PKI solutions and certif- business needs and go
icates across your organization’s environment (e.g., network the distance.
scanning, CA discovery, etc.).
• Rationalize and consolidate PKI tools that stem from different teams
procuring point solutions.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 11

LEVEL 2:

Establishing a foundation
for digital trust
(Foundational)

Dedicated ownership • Well-documented policy • Lack of interoperability

At level two, you’ve reached the big leagues. Organizations at this

stage recognize that PKI isn’t just part of the security stack, it’s critical Reliability
infrastructure that supports critical internal IT and revenue-generating Reliable and well-architected
PKI infrastructure.
services and applications. In many cases, this realization comes after
a major incident, such as an outage or security breach, but sometimes
it’s simply a realization that their current approach has unacceptable
Efficiency
shortcomings.
A well-maintained PKI, but manual
processes slow down teams.
An organization at this level has dedicated resources behind its PKI.
There is an individual or team with the knowledge and bandwidth
required to properly maintain and operate the infrastructure, whether Security
in-house, SaaS-delivered, or fully managed. At this point, they have Well-established security
practices and policies
moved beyond “check box” security to a well-documented and policy-
backed PKI, and they’re beginning to see the benefits of a well-oiled
machine.
Policy & Governance
Well-documented policies and
Things aren’t perfect here, though. The foundational elements of visibility of PKI and certificates.
security and policy are in place, but the biggest challenge here is opera-
tional efficiency. As awareness and usage of PKI increases, so does the
complexity of managing it and keeping pace with demand. At this stage, Agility
processes such as requesting certificates or scaling infrastructure Better visibility into use cases,
but still lacks interoperability.
are still manual, which reduces efficiency and slows down other teams.

Strategy
Dedicated ownership, recognized
as critical infrastructure.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 12

How to recognize if Shortcomings of
you’re at this level Foundational PKI:
At level two, organizations have invested in the organizational Inefficiency
processes and headcount needed to support a functional PKI. The Manual and time-consuming
processes to request CAs and
foundation is set with a formal certificate policy and certificate practice certificates slow down teams
and cannot scale.
statement (CP/CPS), and you’re on your way to consolidating certifi-
cate services into a single platform.
Lack of extensibility
However, PKI still lags when it comes to interoperability and automation. Limited out-of-the-box integrations
and protocols prevent the PKI team
Teams at this stage typically rely on a standard protocol like SCEP, from truly enabling other business
units.
ACME, or EST, but it doesn’t support all applications and use cases. In
addition, manual processes to provision and install certificates create
room for error and slow down projects.
Fire drills
Human errors and troubleshooting
pull resources from priorities to
Despite policy improvements, teams at this level still run into opera- remediate issues.
tional fire drills. Too many people get involved when something goes
wrong because nobody knows where the problem is, and the blame
game ensues. Most organizations at this level will have some certifi-
cate discovery and monitoring capabilities, such as SSL/TLS network
scanning, but there are still blind spots.

Next step:

Automate, educate, and integrate

Your next focus is easing the administrative burden by automat-
ing high-volume, low-complexity processes – an effort made easier
with a PKI solution that supports high availability and automation and
certificate lifecycle management capabilities beyond basic network
Key
discovery. To move to the next level, we recommend that you: consideration
At this point, you’ll need to
• Actively involve key stakeholders in your PKI program and establish
evaluate your organiza-
a working group to get buy-in and guidance from end-users, such
tion’s PKI and certificate
as developers and IT admins
management stack to
• Provide tailored guidance to developers, IT, and security teams by ensure it can support
defining how different PKI and CA tools should be used and when critical functions like
new instances can be deployed automation, self-service,
• Align PKI architecture to enterprise architecture – backed by a and extensibility via APIs
mission, strategic vision, and supporting business processes and and protocols.
technology
• Research and adopt tooling and infrastructure that can support
automation, high availability, flexible deployment (e.g., cloud,
on-premise, hybrid), and extensibility

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 13

LEVEL 3:

Enabling the business with

automation and agility
(Transformative)

Delegated ownership • Automation & self-service • High level of adoption

Organizations at this level have fully embraced the power of PKI. It is

widely adopted across the organization, and a clear vision and roadmap Reliability
aligns with strategic business initiatives – from zero-trust architecture Scalable, highly available, and
well-maintained infrastructure.
and multi-cloud security to remote workforce enablement.

At this stage, multiple teams are now involved in PKI operations. For
Efficiency
instance, the PKI team may manage infrastructure and policy, a network
Self-service and automation
operations center (NOC) runs the operations, and security handles accelerate productivity.
incident response. As a result, PKI becomes an enabler – or at least,
not a blocker – for developers, product security, and IT teams who can
now self-service and leverage APIs and protocol interfaces to integrate Security
with their applications. Tailored guidance and training
on security best practices.

Reaching this level takes a high level of automation, including provi-

sioning and maintaining the backend PKI infrastructure (e.g., CA
Policy & Governance
configuration and deployment) and automating certificate-related tasks
Centralized policy and control
for end-users (e.g., renewal, provisioning, and installation). across decentralized PKI.

Most importantly, a strategic approach requires tailored guidance and

training for teams that may leverage CAs and tools outside the enter- Agility
prise-sanctioned PKI (e.g., HashiCorp Vault, Let’s Encrypt, etc.). These Flexibility to support new use cases
quickly and efficiently.
teams should know if and when they can leverage these tools and the
process they should follow to properly implement and integrate them.

Strategy
A well-defined enterprise-wide
PKI strategy.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 14

How to recognize if Benefits of a
you’re at this level Transformative PKI:
One of the biggest changes at this level is ownership. PKI is no longer Uptime and efficiency
centralized exclusively under the AD or infrastructure team. Instead, Outages and downtime are avoided
with highly available and automated
a central team can govern and control PKI services, but different PKI infrastructure and certificate
management.
business units can set up their own CAs or PKI solutions under the
right circumstances.
Flexibility
A cross-functional team, also known as a working group, can provide Teams can proactively integrate
PKI with modern applications like
thought leadership, best practice guidance, and weighted tooling cloud platforms, microservices, and
CI/CD tools.
decisions, which eliminates siloes and better supports the needs of
the business.*
Scalability
By this point, PKI isn’t just one or two issuing CAs behind the four walls PKI and certificates are available
on-demand as the business grows
of the data center. It’s an enterprise-wide trust fabric built upon an without exploding complexity and
risk.
integrated, CA-agnostic set of tools and infrastructure. Control and
governance are centralized, but enforcement is decentralized, allowing
Faster delivery
teams to operate quickly and efficiently within the parameters of policy.
The PKI team can take on new
PKI becomes a supporting technology to reinforce revenue generation initiatives and deliver projects
and brand integrity. faster without slow server provi-
sioning and maintenance.

Next step:

Continuously test, monitor,

and adapt
Security isn’t static. New threats will emerge, algorithms will evolve,
and organizational changes will be unavoidable. The next steps at this
level are about maintaining trust, not making monumental changes. Trust
requires ongoing testing, proactive monitoring, and preparations for
major changes.

• Identify new opportunities to expand automation and integration

within DevOps, IoT, and emerging use cases
• Extend integration capabilities with your enterprise identity fabric
to streamline processes and improve detection and response (e.g.,
SIEM, EPP, ITSM, IGA, etc.)
• Develop and continuously test DR and business continuity plans to
ensure resiliency, which includes events like CA compromise and
*(16 March 2022) Managing
crypto library bugs machine identities, secrets, keys
and certificates. Erik Wahlstrom,
• Create and implement a strategic roadmap for post-quantum Gartner
cryptography (e.g., crypto-asset inventory, compatibility mapping,
migration planning, etc.)

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 15

LEVEL 4:

Maintaining a resilient
and future-proof PKI
(Resilient)

Proactive planning • Agility and modernization • Minimal risk of compromise

Organizations that reach this stage of PKI maturity are far more
transformative, efficient, and secure. However, without continued Reliability
investment and effort, it takes no more than a simple misconfiguration Continuous DR and BC testing
to maximize resilience.
to compromise the entire operation and fall back to level zero. This is
where resiliency comes into play.

Efficiency
The foundation of DevOps, the continuous improvement mindset, applies
Expanding automation and integra-
as much to PKI operations as it does to application development. Teams tion with new use cases.
that continuously monitor, test, and plan for future changes and require-
ments will avoid the risk of a serious breach or disruption to services
and ultimately, deliver more value to the business. Security
Continuous enforcement and
re-assessment of policy.
There are three core components to a resilient PKI:
1. Proactive planning and business enablement
Policy & Governance
2. Continuous monitoring and testing Ongoing audits and monitoring
of the PKI environment.
3. Detection, response, and remediation

Each of these components is equally important to maximize the return Agility

on investment (ROI) of PKI and avoid inevitable risks in the future, Well-integrated and automated
with business processes.
including, but not limited to, the shift to post-quantum cryptography,
future mergers and acquisitions, and emerging software supply chain
attacks.
Strategy
A proactive roadmap for crypto-
modernization and agility.

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 16

Get Started Find your A-TEAM
Now that we’ve covered the steps PKI doesn’t (or at least shouldn’t) operate in a silo. Every team
to PKI maturity, it’s time to evalu- across the organization relies on PKI, so bringing in key stake-
ate where you stand and implement holders from each team will ensure you get a clear picture of
improvement plans. your current environment. This could include IAM, security, cloud
architecture, infrastructure, DevOps, application teams, and other
Here are some practical steps stakeholding business units.
to kicking off your roadmap to a
successful PKI strategy.
Seek to understand
Once you have an A-team, it’s time to map out use cases and
requirements, understand how certificates are used and issued,
and whiteboard a rough blueprint of your current PKI architec-
ture (fragmented as it may be). This can take days or months, but
the important thing is not to rush this step. Learn more by joining
weekly team meetings and stand-ups or setting up 1:1 meetings
with departmental heads. Remember, this is about seeking to
understand gaps, not criticizing flaws.

Assess tools, people, & processes

Identify the people, technology, and processes involved in PKI
across the business. If you don’t have in-house PKI expertise, it
will not be an easy role to fill. Instead, consider a consultant or
a PKI vendor that can provide expertise or even offload entire
components of PKI operations, whether a turnkey appliance, a
SaaS-delivered instance, or a fully managed service. Take time to
assess existing policies and tooling and determine the risks and
shortcomings of your current approach using this model.

Build the business case

Ultimately, you’ll know what needs to be done, but action doesn’t
come without investment. Unless you’ve just experienced a major
incident that prompts leadership to prioritize PKI, you must justify
your project’s time and budget. Then, tie your strategy back to
quantifiable metrics such as improved productivity (hours),
reduced risk (outages and security incidents), and cost savings
(reduced infrastructure complexity).

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 17

The following questions act as a guide to assess
maturity in each of the six categories:

Reliability

Ability to provide reliable, • Can you deploy CA infrastructure where needed, whether in
the cloud, multi-cloud, on-premises, or hybrid?
high-performing PKI
• Is your organization’s PKI able to handle high demand without
infrastructure at scale:
interruption to services? (e.g., high availability, clustering,
on-demand provisioning, etc.)
• Does your organization have disaster recovery and business
continuity procedures for PKI? How often are these proce-
dures tested?
• How often does your business experience PKI-related
outages that impact employees or revenue-generating
services?

Efficiency

Ability to manage • Has your organization established service level agreements

(SLAs) to approve and fulfill certificate requests? How often
and operate PKI with
are these SLAs met?
efficiency:
• How much time do teams spend managing and maintaining PKI
infrastructure? Does your company have adequate staffing
and skills to support PKI?
• How many servers, databases, and HSMs are required to run
your organization’s PKI? What will be needed to support future
growth?
• How much time is required to spin up a CA? How much time do
application owners spend to obtain and install certificates?
(i.e., requests, renewals, provisioning, etc.) Is it possible to
automate these processes?

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 18

Security

Ability to protect critical • Have you implemented adequate security controls to harden
and protect critical PKI components? How, are CA private
infrastructure and enforce
keys generated and protected?
security controls:
• What is the process to patch and update servers across your
organization’s PKI footprint? How do you prevent CA config-
uration drift and privilege escalation?
• Can your organization discover and quickly resolve PKI-
related incidents, such as certificate outages or unexpected
audit findings?
• Does your team maintain a comprehensive audit log of PKI-
related activities?

Policy & Governance

Ability to establish • Does your organization continuously monitor critical PKI

components’ health and security posture to ensure uptime
trust and govern your
and policy compliance?
organization’s PKI:
• Does your organization have an accurate inventory of certif-
icates? (e.g., certificate owners, locations, expiration dates,
and other details)
• Have you documented certificate policies and practices in a
formal CP/CPS? How do you enforce adherence to policies?
• How do you prevent shadow IT? Is there a process to identify
and approve the use of other PKI solutions and CA services?

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 19

Agility

Ability to deliver with • Can you supply new use cases with the required PKI capabili-
ties quickly? (e.g., deploy a new CA, support a new integration,
agility and support all
etc.)
use cases:
• Can application owners self-serve certificate requests and
renewals? Is it possible to delegate certificate management
to specific groups or individuals?
• Does the PKI support various interfaces and protocols? (e.g.,
REST API, ACME, SCEP, CMP, etc.) Or just auto-enrollment?
• Does your organization use multiple PKI solutions or CA
services? How do you maintain centralized control and
governance?
• Is your organization prepared to migrate to new CAs,
algorithms, and standards? For example, are you able to re-
issue or rotate certificates at scale?

Strategy

Ability to plan and deliver • Is your organization’s PKI strategy aligned and unified across
all business units?
PKI capabilities to support
• Who owns the CA infrastructure vs. individual certificates?
business strategy:
How do you uncover and support new business initiatives that
require certificates?
• Do you have a clear, comprehensive vision of how to evolve
PKI services to meet emerging needs? (e.g., IoT, DevOps,
cloud-native applications, etc.)
• Is PKI adequately funded and supported by leadership?
• Can you measure the return on investment (ROI) of PKI
services?

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 20

PKI Maturity Model
by PKI Consortium
The PKI Consortium established the PKI Maturity Model Working Group
PKI Maturity Model ↗
to build a PKI maturity model for evaluation, planning, and comparison
between different PKI implementations. Keyfactor is an active member
Assessment Tools ↗
of the PKI Consortium and an active member of the PKI Maturity Model
Working Group.
Discussions ↗
Maturity models measure the capability and ability of an organization
or implementation for the continuous improvement and evolution in a Charter ↗
specific area. The PKI Consortium PKI Maturity Model (PKIMM) focuses
on the specifics of a Public Key Infrastructure (PKI) implementation and
helps identify the maturity and improvements that can be made.

While the Keyfactor PKI Maturity Model serves as a beginner’s guide,

the PKI Consortium PKIMM is a technologically independent model
that evaluates in depth the various aspects related to the PKI (people,
process, technology) according to specific categories. The overall
maturity level of a PKI is determined based on the maturity of the
categories and is independent of the size of the organization and the
use case.

The PKI Consortium PKIMM does not target a specific PKI, rather it
serves as an industry-wide standard for PKI maturity assessments and
helps to identify areas for improvement, unrelated to the scope, and
whether the PKI is private, public, shared, bridged, etc.

The PKI maturity model

provides the following:
• Quickly understand the current level of capabilities and perfor-
mance of the PKI
• Support comparison of PKI maturity with similar organizations based
on size or industry
• Action plans on how to improve the capabilities of the current PKI
• Improve overall PKI performance

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 21

The ultimate Our world is more digitally connected than ever. Devices,
workloads, and digital transactions are foundational to business as
benefit of PKI IT architectures continue to expand and evolve with digital trans-

maturity: formation. In this hyper-connected environment, digital trust is

essential. Digital trust enables organizations to confidently and
securely engage with customers, employees, and the outside
world.
Digital Trust PKI is foundational to making this happen. In a world without
perimeters, every device, every workload, every human, and every
connected thing must be verified with a trusted identity. PKI deliv-
ers the authentication, encryption, and integrity required to verify
machines and humans at scale. A robust and scalable PKI makes it
possible for organizations to build trust and, consequently, build
and grow their business.

Learn more Certificate Management

Maturity Model
You’ve already taken the first
step if you’ve read this guide. by Keyfactor
Here we’ve provided additional
Assess your maturity in certificate lifecycle management, a critical
resources and solutions to help
component in PKI maturity.
you reach PKI maturity.

Download now ↗

*Keyfactor is a sponsor of the PKI Consortium

and an active participant in the PKI Maturity
PKI Maturity Model
Model Working Group. We recommend using the
Keyfactor PKIMM as a starting point for technical
by PKI Consortium
and non-technical stakeholders. The PKI
Consortium PKIMM is the next step to thoroughly Go a level deeper and thoroughly assess your PKI maturity with
assess and measure PKI maturity against industry
standards. the PKI Consortium’s PKI Maturity Model (PKIMM).*

Learn more ↗

© 2023 Keyfactor, Inc. All Rights Reserved | www.keyfactor.com 22

Explore PKI your way PKI as a service
solutions Simplify and scale PKI with the
only platform that deploys fast,
Offload the cost and complexity
of PKI with a fully-managed, cloud-
See how to modernize your runs anywhere you need it, and hosted PKI service operated by
PKI and move up the maturity scales on demand without limits. experts.
model with flexible, scalable,
and agile solutions.
Learn more ↗ Learn more ↗

Certificate lifecycle IoT identity

automation management
Gain complete visibility of all Centrally manage and automate
certificates, centralize control, the lifecycle of identities across
and enable automation to reduce your fleet of connected IoT
downtime and risk. products and devices.

Learn more ↗ Learn more ↗

Contact us
Keyfactor brings digital trust to the hyper-connected world with • www.keyfactor.com
identity-first security for every machine and human. By simplifying PKI,
• +1 216 785 2946
automating certificate lifecycle management, and securing every device,
(North America)
workload, and thing, Keyfactor helps organizations move fast to estab-
lish digital trust at scale — and then maintain it. In a zero-trust world, • +46 8 735 61 01
every machine needs an identity and every identity must be managed. (Europe)

For more, visit keyfactor.com or follow @keyfactor.