HomeEditor's PickChoosing the Right PKI for Your Applications
Editor's Pick

Choosing the Right PKI for Your Applications

Mike Fleck
By Mike Fleck
0
58
If you purchase via links on our reader-supported site, we may receive affiliate commissions.
Choosing the Right PKI for Your Applications
cyberghost vpn ad

Here, I will educate you on making the right choice when choosing the right PKI for your applications.

Whether you think of it as a security technology, a security model, or you don’t think of it at all, Public Key Infrastructure (PKI) underpins our daily lives. Just about anything that communicates over the internet uses PKI: your smart TV, the fuel pumps at the gas station around the corner, the entirety of the World Wide Web. You get the idea.

The term digital trust refers to the positive outcomes of PKI. If you think about it through that lens, it becomes easy to understand PKI in non-technical terms. 

Why do you trust something? Often, it is because something came from another thing that you deem an authority. If two people consider the same source to be an authority, they both trust the thing it produces. We trust certain information, currency, and identity documents because they come from things we deem authorities.

Trust is not absolute. Your trust in something can be subjective or situational. You likely trust your family and loved ones more than you trust strangers. In turn, you share things with people close to you that you wouldn’t share with strangers.

Trust can also vary based on your perception of risk. I trust my old Land Rover to handle tough offroad trails, but I’d think twice before taking it on a long road trip (even though it’s never let me down).

PKI and Trust

PKI and Trust

PKI uses Certificate Authorities to issue certificates that things (web servers, smart TVs, people) use to confirm their identities and communicate securely. If you trust the Certificate Authority, you trust the certificates it issues.

PKI provides all the flexibility we need for digital trust in the real world. Broadly speaking, there are three kinds of PKI security models:

  • External PKI involves public Certificate Authorities that are trusted by default in web browsers and major operating systems. They are governed by a combination of the CAB Forum and browser and OS vendors. The most common example is the Web PKI, for which CAs like DigiCert, Sectigo and Let's Encrypt issue TLS certificates for web servers.
  • Internal PKI uses private CAs operated within an organization or other closed environment. The organization operating the private CA has complete control over the trust derived from it. Corporate laptops often have certificates issued by the company’s private CA. 
  • Federated PKI typically uses CAs that are operated like those in the Web PKI in that they use an external governance model and serve as a common root of trust among disparate organizations. These PKIs are usually industry-specific and tailored to meet requirements for trust and interoperability across an ecosystem. DirectTrust, which the healthcare sector uses for the trusted exchange of information among providers, is an example of a federated PKI.

Trusting Trust

In the Web PKI, we trust a certificate authority because it is operated according to a set of rules. And we can trust that it is operated according to a set of rules because an independent party audits the CA operations. And we trust the auditor because it is governed by a professional licensing body. And the repercussions for violating this trust are severe.

IoT device manufacturers use private CAs to issue certificates for their devices. For instance, a smart air conditioning unit that has a certificate to protect it from tampering.  If such a device doesn’t have a certificate issued by the vendor’s trusted private CA, then it may not be a proper air conditioning unit in use by an authorized customer.

This helps them authenticate connections, maintain security of the software on the device, and mitigate the effects of counterfeits. Their private CA allows them to create a closed ecosystem for trust.

Running a secure private CA demands robust, multi-layered security, something that can be expensive and may exceed the in-house expertise of many organizations. Establishing trust within a closed ecosystem also requires every component to be explicitly configured to trust the private CA, which involves careful planning and continuous governance to prevent outages and security gaps.

Of course, all that work may be inadequate when you ask another organization to trust your CA. Your private CA is neither independently governed nor externally audited. Federated PKIs exist for this reason. They are the best option for providing the basis for broad trust with the specialization of an internal PKI.

Federated PKIs are often operated on behalf of industry consortiums by commercial PKI companies that have the expertise, have the layered security in place, and already undergo external audits.

However, operating systems and browsers do not, by default, trust CAs associated with federated PKIs. Organizations must configure their machines to trust them.

Convenience Isn’t Free

Convenience Isn’t Free

Because the External PKI uses certificates trusted by major operating systems and web browsers, using them avoids the additional work of establishing trust of an Internal or Federated PKI. If you have a device, machine, cloud service, etc. and you want other things to securely communicate with it, a public certificate is often the most convenient solution.

Using a public web server certificate for use cases like API authentication or communication among cloud containers can introduce unforeseen disruptions. Public web server certificates are subject to evolving policies of the CAB Forum and other browser trust programs that may not align with non-browser applications. Recent examples include:

  • The phased reduction of TLS certificate lifespans to 47 days, a duration incompatible with the realities of managing proprietary devices like cash machines and some network appliances.
  • Chrome’s recent announcement that it will distrust CAs issuing TLS certificates for client authentication. Affected certificates will be difficult for organizations to identify without a detailed understanding of each certificate.
  • Mandatory mass revocation of certificates in response to documentation errors, creating extra work for customers and increasing risk of outages despite there being no security vulnerability.
  • The network names in your public certificate are publicly available through the Certificate Transparency Lists. This could provide clues for outsiders seeking to penetrate the network.

The Right PKI for the Job

Choosing the right PKI for your use case ensures trust and reliability of the process you are securing.  External PKI is essential for use cases that require broad, internet-wide trust of web servers, email, and software. These certificates must conform to strict standards and are trusted by default across user environments.

However, extending public certificates to other use cases—like internal APIs, device identity, or cloud workloads—can lead to increased administrator overhead or service disruptions as browser policies evolve.

Internal PKI offers the flexibility to meet enterprise security requirements without relying on external trust. Organizations can issue certificates for devices, users, workloads, and internal services under their own policies and controls.

This enables use cases like secure Wi-Fi, VPN authentication, internal code signing, and identity for IoT devices. While Internal PKI can replicate many of the functions of External PKI, it does so within a closed trust ecosystem. The challenge lies in the complexity of doing it right—requiring specialized expertise and secure infrastructure.

If this sounds daunting, PKI as a Service (PKIaaS) solutions provide the operational discipline, scalability, and security controls of a mature PKI without the overhead of managing it in-house.

Federated PKIs fill the gap between public and private trust models by providing cross-organizational trust within a specific domain or industry. These frameworks are purpose-built to enable secure interoperability across organizations that share common requirements but are outside the scope of browser trust. Examples include the X9 Financial PKI, the Matter PKI for smart home interoperability, and SAE’s EVPKI for electric vehicle charging. These PKIs are governed by shared policies and often support use cases like mutual TLS, device identity, and cross-entity authentication. 

As organizations expand their digital trust strategies, understanding the strengths and scope of each PKI model ensures the right foundation for both immediate needs and future stability. Choosing the right PKI model isn’t just a technical decision, it’s a strategic one. When done right, PKI becomes more than infrastructure: it becomes a business enabler for resilience, security, and growth.

INTERESTING POSTS

About the Author:

Director of Product & Solutions Marketing at  |  + posts
Incogni ad
PIA VPN ad
Previous article
What Is An SSL Certificate?[MUST READ]
Next article
What Internet Poker Variants And Games Are There?
RELATED ARTICLES
Surfshark antivirus ad
social catfish ad

IMPORTANT LINKS

NAVIGATE

CONNECT

OUR MISSION

SecureBlitz is a cybersecurity blog owned by SecureBlitz Cybersecurity Media. that covers tips, how-to advice, tutorials, the latest cybersecurity news, security solutions, etc. for cybersecurity enthusiasts. Our mission is to ignite a cybersecurity revolution by providing accessible and actionable insights to fortify your digital defenses. Join us in building a safer online world!

FOLLOW US

© 2025 SecureBlitz Cybersecurity | All Rights Reserved