Designing a Private PKI System: Key Components, Architecture & More

Internet is a necessity, and its security remains a vital aspect. At the same time, we are all aware of antivirus software, encryption, security certificates, and more, the underlying framework matters. Enterprises need robust PKI systems to support security across operations.

Robust PKI systems mean secure operations. A Gartner research suggests that the total business spending on cybersecurity will grow by $170.4 billion by 2022. So, a reliable PKI system is essential not just for secure operations but for reduced costs. 

However, the biggest question for any business looking to secure their system is- “How to build a private PKI system?” 

The first step toward building a PKI system is to understand the basics. So, let us begin with what is a PKI system.

But, first, what is a PKI system?

PKI System

PKI or Public Key Infrastructure is a system of specific policies, processes, components, software, and services to support the use of public-key cryptography. In other words, it is a setup to provide digital certificates to users, systems, and applications for building trusted identities.

Such identities help in the authentication of data access and establishing secure communications between systems. To understand PKI, let us first understand cryptography. 

There are two types of cryptography,

  • Shared secret or symmetric encryption-  Booth sender and receiver of information uses the same security key. 
  • On the other hand, public-key cryptography or asymmetric encryption uses two different security keys- public and private.

A public key is a widely available security key, while a private key is unique to the user. For example, an encrypted email sender’s private key can have a digital signature containing the encrypted data. Such data is accessible to the recipient on decryption. This process allows users to verify the identity of the sender and the integrity of the data. 

PKI infrastructure is based on the asymmetric cryptography approach where a public key and private key pair are used. Certification authorities issue a digital certificate, which helps organizations establish trust between two certificate holders.

Digital certificates are of diverse types from well-known certificate authorities (CAs) like TLS certificates, code-signing certificates, digital signatures, client-server authentications, etc. SSL certificate from reputed  CA include Comodo, Sectigo, GlobalSign, etc. If you are looking for a budget SSL then, Comodo products are favorable product for any SMBs. Few popular products are Comodo Essential SSL, Comodo Positive SSL, Comodo wildcard SSL, etc.

For example, an SSL/TLS certificate uses symmetric and asymmetric encryption. PKI-based asymmetric cryptography enables secure sessions between a browser(client) and server.

When designing a private PKI system, you also need to understand the private and public PKI differences.

  • Publicly Trusted PKI is a PKI system where your digital certificates are trusted by operating systems and users on the internet. There are no manual verifications needed, and all you need is a digital certificate issued by a publicly trusted certificate authority(CA). 

Here, the entire PKI architecture is run by CA. Therefore, a publicly trusted PKI system needs to follow CA/B Forum’s Baseline Requirements.

  • Privately Trusted PKI- This system secures networks through internal or private CA certifications. Here the verification rests on your shoulders, and there is no standard which the system needs to comply with.

Now that we know all about the basic PKI system let us understand the key components of such a framework.

PKI system: Key Components

PKI system components

Every PKI system leverages digital or public -key certificates to establish a machine identity. It is an association between device or software identity and the public key. Certification authorities help in the validation and verification of such identities. 

It is almost similar to the accreditation of an academic university, where accreditation organizations or government authorities vouch for an institution. However, a PKI system will need a chain of certificates to establish the association between an app and a public key. It is also known as the chain of trust.

A certificate chain has different certificates linked back to a self-signed certificate at the end. These certificates form the crux of your PKI system or are the building blocks of your designing a private trusted PKI system. 

Root certificates

A root certification authority or root CA is one of the essential aspects of any PKI infrastructure. Root CA issues the certificates for the establishment of trust between identities. It also enables issuing CAs to issue certificates in the chain of trust.

Intermediate certificates

An intermediate CA issues certificates for a chain of trust. There are multiple intermediate CAs in the PKI framework with a shared root CA. Especially for a three-tier PKI architecture, intermediate certificates play a pivotal role.

Issuing certification authority

Root CA and intermediate CAs issue certificates, which enables you to establish associations between identities. On the other end, an issuing certificate authority is like a root CA on the internet, issuing certificates to end-users and anyone who requests it.

Security key pair

Both public and private key pairs are significant for the PKI system. Every security key is generated through an algorithm like Rivest-Shamir-Adleman(RSA). A private key requires Hardware Security Module (HSM) for secure storage. 

Hardware Security Module

HSM is a hardware component for storing private keys for intermediate certificates and root CA. They are secure and resilient mechanisms for the security of your private key.

Certificate Revocation List (CRL)

A certificate revocation list is essential for an effective PKI system. It contains details regarding different revoked certificates along with the reason for revocations.

Certificate management and policy 

Certificate management involves different certificate issuing requests, issuance, validation, revocation, and renewal activities. Therefore, another essential part of certificate management is defining the security policy for the PKI system. 

Such a process of documenting security standards and guidelines for certificate usage is called Certificate Policy(CP). As per these standards, a CPS or Certificate Policy Statement is generated that helps you with different processes used in PKI. You can consider a CPS like a manual that enables you to operate PKI per CP standards.

Now that we know are vital components of a PKI system, it is time to understand the architecture or structure in which you can use them.

PKI system architecture

PKI system architecture

Architecture is a structure made of different components that support the entire process flow. Imagine machinery with all the gears and mechanisms in place; that is what a PKI system architecture means. 

There are two types of architectures used for PKI systems,

  • Two-tier architecture
  • Three-tier architecture

Two-tier architecture

Two Tier Architecture

A two-tier architecture is ideal for simple PKI system implementation. It is balanced architecture without much hassle and involves two key components- a root CA and issuing CA. The root certificate stays offline, and that is why they are secure.

Due to offline storage, you can assign physical security keys required for data access making the entire process secure. In addition, it means that your root certificate is hard to hack and can further allow a chain of trust and the issuing certificates.

Whether you are using an online issuing CA or internal CA, using HSM to store root CA makes it secure. 

Three-tier architecture

Three Tier Architecture

When it comes to better trust among users having a chain of certificates can help establish it among different identities. In other words, more certificate means higher validation of code integrity along with the data exchange between two endpoints. This is why three-tier architecture is considered far more secure than two-tier architecture.

It includes root and issuing CA, just like two-tier architecture. However, a chain of intermediate certificates makes this architecture more suitable for your privately trusted PKI system. The structure involves several intermediate CAs. So, there are several intermediate CAs based on the CP or Certification Policy between root CA and issuing CA.

Now that we know everything about creating your designing a private trusted PKI system, here are the steps to follow for its implementation.

Steps to implement privately trusted PKI system

  • Step 1 Identify security needs- Analyze your systems and identify different security needs, certifications, and architecture that best suits your operations.
  • Step 2 Choose a CA-Certification authorities are pivotal, and you need a trusted name in the market for your certificate issuance.
  • Step 3 Right environment- Traditionally, the internal PKI system is hosted on-premises, but a cloud is an excellent option with flexibility, scalability, and rising consumer demand. However, the best approach is to use a hybrid setup where you keep the root certificates and specific intermediate certificates on-premises while having the issuing CA on the cloud.
  • Step 4 Managing certificates- Using DevOps and CI/CD pipeline, you may enhance the efficiency of operations. However, implementing PKI infrastructure for your operations will not be enough, and you need automation of certificate management. For example, you need to automate revocations and renewal certificates for effective certificate management. 
  • Step 5 Creation of CP- A certificate policy is a guideline that you need to operate the entire PKI infrastructure. Similarly, you will need a comprehensive CPS for enhanced protection. So, these two need to be created considering different system aspects and organizational needs. 


Whether you are looking to create a designing a private trusted PKI system for your business or improve the efficiency of existing PKI infrastructure, certification authority and well-defined CP are essential. Here you need to ensure that you are asking the right questions before building your PKI system, like, 

  • What type of certificates are required?
  • Which is the best CA?
  • What architecture is best for the PKI system?
  • Which is better, cloud or on-premises?

Here we have discussed some of the solutions to these questions. So, start creating your private PKI system and enhance security for business operations. 

Maria Colombo
Maria Colombo
Articles: 1200