In this workshop we will explain theoretical basics of Public Key Infrastructure (PKI): certificate runtimes, revocation lists, hardware security modules, specific processes and organizational measures when using a PKI in the company network. During the workshop we will discuss which architecture makes sense and how the respective requirements can be mapped with available resources. Operational aspects are particularly important here, e.g. the implementation of a dual control principle and disaster recovery.
Why is a Public Key Infrastructure (PKI) necessary?
The use of a company-wide Public Key Infrastructure (PKI) is necessary in modern IT infrastructures. Certificates are necessary for different requirements, e.g. public certificates for communication with external partners via web servers (SSL/TLS), VPN gateways (IPSec) or for email encryption (S/MIME use).
Trusted certificates are also required for internal resources to secure different processes. These include strong password-independent authentication options (using smart cards), other certificate-based authentication methods in LAN and WLAN infrastructures, as well as digital signatures or machine certificates for device authentication.
The design of a PKI is highly dependent on security and confidentiality requirements. Planning is often carried out on the basis of best practice papers, which are far too complex or sometimes undersized for the actual requirements. The respective requirements for using a PKI in terms of the security level, availability, integrity and scalability of an appropriate solution should be captured in the context of a risk assessment.