Intertrust PKI FAQ – Your questions answered

iPKI is Intertrust’s PKI (Public Key Infrastructure) Certificate Authority (CA) service. iPKI designs, issues, and maintains PKI certificates throughout their lifecycle on behalf of its customers.

PKI certificates are the foundation for many important measures, such as encryption, that form the bedrock for any organization’s cyber security strategy. Since PKI certificates are a vital part of securing the computing resources that are essential for all modern organizations, organizations need to rely on professional CA’s such as iPKI to properly maintain and manage their certificates for maximum security.

iPKI is used by organizations to issue and manage PKI certificates for any of their connected devices they wish to protect from bad actors. These organizations typically use iPKI not just for simple X.509 certificates, but to design and maintain secure rich device identities for their connected devices.

Device identities are the secure certificate based identities issued to devices so that the organizations deploying them can trust the device and the data transmitted from it. Many devices typically perform several roles and work with several cloud services to perform those roles. Rich device identities are identities designed to cover all of the usage scenarios for a connected device.

Let’s use an IoT gateway as an example. IoT gateways are used to route data to and from IoT devices, such as sensors, to their destinations. An IoT gateway may route data for two or more cloud services and would need a secure device identity for each of those services. Also, increasingly IoT gateways are being used to analyze some of the data on the gateway. A device identity is needed to secure the software that analyzes the data. A rich device identity would be designed and used to secure all of the IoT gateway’s intended use cases. 

Yes, iPKI is WebTrust compliant and certified. iPKI complies with the following standards: RSA 1024/2048 bit, Elliptic Curve 150 to 528 bit, AES 128/192/256-bit, x.509 v3, RFC 5280, RFC 4325, FIPS 140-2, FIPS 186-2, PKCS #7, #8, #10,#12, Signed SAML assertions, Signed or Encrypted XML or blobs, SP 800-22 & SP 800-90, and RFC 1750.

Many PKI CA’s mass produce simple PKI certificates. With the experience of provisioning over 20 billion keys to more than 2 billion devices and backed by a top-notch customer service team, iPKI designs and maintains rich device identities throughout their lifecycle in addition to issuing certificates. Particularly, modern IoT certificates have a short lifecycle and need to be constantly refreshed, something iPKI can handle at scale. iPKI is also flexible and can handle requests ranging from the tens of devices to the tens of millions of devices.

NIST8259A describes a baseline for IoT cyber security. One of the core elements is the requirement that devices be identified. A secure device identity is needed to implement other measures called out by NIST8259A such as the requirement to protect data both on the device and as it is transmitted. This can be accomplished by encrypting the data transmitted by the device and the device identity typically contains the secure key used for the encryption. PKI certificates are a necessary element of a secure device identity and iPKI can design rich device identities that encompass the various roles the device plays.

A bad actor can try to create a program that imitates a device and “spoof” a service by sending a cloud service fake data to produce an action that the bad actor desires. The use of an iPKI designed and issued rich device identity makes such imitation very difficult.

PKI certificates and the professional services to implement and manage them are available from iPKI through the Intertrust sales team.

iPKI follows the Simple Certificate Enrolment Protocol (SCEP — RFC 8894) for deploying PKI certificates to devices. This can be done offline by delivering certificates to be provisioned on a customer’s factory floor or their online field provisioning system. It can also be done online by delivering credentials from an iPKI hosted secure, multi-tenant, cloud-based repository at initialization time. Either way, iPKI’s highly scalable services can deliver millions of credentials in a single order.

Intertrust Platform includes a function with edge-to-cloud capabilities allowing enterprises to connect IoT devices and the data transmitted from them securely to cloud services. iPKI is a core part of this capability.