PKI and Certificate Lifecycle Management
A private PKI that automates TLS and mTLS certificate issuance, renewal, and revocation across hybrid services, with CA keys protected in an HSM. Short-lived certificates and automation keep services secure without expiry outages.
What and When
Public-key infrastructure (PKI) issues and manages the digital certificates that secure TLS connections and mutual TLS (mTLS) between services. A managed lifecycle automates issuance, renewal, and revocation so certificates never silently expire. Build a private PKI when you operate many internal services, need mTLS for zero trust, or must control your own certificate authority for compliance.
This design spans hybrid infrastructure: a hardened root and intermediate CA issue certificates consumed by both cloud and on-premises workloads.
Components
- Private CA is the certificate authority hierarchy: an offline root and online intermediates that sign end-entity certificates.
- HSM (hardware security module) protects the CA private keys so they cannot be exported.
- ACME protocol automates certificate issuance and renewal for clients that support it.
- cert-manager issues and rotates certificates for Kubernetes workloads automatically.
- OCSP responder answers real-time revocation queries; a certificate transparency log records issued certificates for auditing.
- Key rotation policies ensure keys and certificates are refreshed before expiry.
Data Flow
A service needs a TLS certificate. It requests one via ACME or cert-manager, proving control of its identity. The intermediate CA, with its key in the HSM, signs a short-lived certificate and returns it. The service uses the certificate for TLS or mTLS. Before expiry, the automation renews it without human intervention. If a certificate must be revoked, the OCSP responder reflects the new status so relying parties reject it.
Scaling and Resilience
Automation is what makes PKI scale: thousands of short-lived certificates renew without tickets or outages. Keep the root CA offline and air-gapped; run multiple intermediate CAs and OCSP responders for availability. Short certificate lifetimes reduce reliance on revocation infrastructure. Monitor expiry dates centrally to catch any certificate the automation missed.
Security
The CA private keys are the crown jewels; protect them in an HSM and keep the root offline. Use short-lived certificates so a compromised key has limited value and revocation is rarely needed. Enforce least privilege on who can request certificates for which identities. Log all issuance to a transparency log for audit, and align the hierarchy and controls with ISO 27001 requirements.
Trade-offs and Alternatives
Running your own PKI is operationally serious: key ceremonies, HSMs, and CA availability all demand expertise. Managed services such as AWS Private CA or Google CAS reduce this burden while keeping a private trust chain. For public-facing certificates, free public CAs via ACME (Let's Encrypt) are simpler. Choose a private PKI when you need internal mTLS at scale or strict control over the trust chain.