Configuring enterprise public key infrastructures to permit integrated deployment of signature, encryption and access control systems

With the emergence and widespread use of digital technology at all levels, from strategic bases and infrastructures down to the soldier on the ground, security of these systems and the networks that they connect to has taken on paramount importance. The past decade has seen widespread development, innovation, and growth within the DoD, Government, and commercial communities of public key infrastructure (PKI) to meet these security needs. PKI is a robust technology, supporting numerous applications, including user and computer authentication, secured communications, data encryption, and digital signature. As PKI technologies have moved from the laboratory and university into the mainstream, numerous operational issues have been realized that hamper their widespread adoption. These issues include: deployment and maintenance of certificate authority (CA) infrastructures; storage of digital certificates on computer servers and workstations; transportation of certificates from computer to computer; replacement of lost credentials; and "PKI-enabling" of applications. A burgeoning industry has arisen to meet these challenges, producing an alphabet soup of products; many of which have competing and mutually exclusive capabilities, limitations, and supporting requirements. This paper examines these problems, and proposes methods and techniques for the successful employment of PKI to support as wide a variety of end-user applications as possible. It discusses the following key engineering decisions that must be made, and best practices for making them: design of the CA infrastructure for maximum flexibility and vendor agnosticism; design of X.509 certificate templates to permit their proper selection and use for a wide variety of applications, including server security, user and computer authentication, digital signature, and data encryption; storage of certificates on hardware security modules (HSMs), smart cards, and removable tokens; and finally, PKI-enabling of networks and applications. Finally, it discusses "gotchas " and issues that must be dealt with in the process of operational deployment of these technologies.