PKIWorks™

Challenge: How do I get certificates, or keys and certificates, that I will install on my devices by myself?

With public key cryptography being the backbone of device and system security, organizations ponder whether to build their own PKI and Certificate Authority for issuing device credentials. Building and maintaining an in-house solution presents substantial challenges. It requires investments in expertise, resources, and infrastructure to ensure trustworthiness and effectiveness. Additionally, establishing robust operational processes and procedures, adhering to industry standards, and achieving regulatory compliance require meticulous attention to detail. Undertaking an in-house PKI and CA initiative entails associated costs and risks.

If you want to obtain certificates, or both keys and certificates, that you will install on your devices using your own provisioning system, PKIWorks™ Basics – an interactive web portal – is the solution for you.

Challenge: My devices have key pairs but how do I get certificates and have them installed on my devices directly?

PKI is widely adopted for trust establishment and secure communications. Modern chips and devices have built-in public key cryptography functionalities for key pair generation. However, without digital certificates, these device key pairs lack association with PKI ecosystems, limiting their ability to provide security for specific applications. Issuing certificates to devices, especially in volume production, poses challenges, as the manual process of collecting certificate signing requests (CSR) and obtaining certificates via the online platform from a CA provider can be impractical. This approach becomes cumbersome, especially for large-scale production or field updates, requiring streamlined efficiency.

If you have devices that already have key pairs and need to have certificates for the key pairs installed automatically, PKIWorks™ Essentials – an automated CSR-based certificate provisioning service – is the solution for you.

Challenge: How to securely install unique keys and certificates on a large number of devices that are being made in factories?

The implementation of public key cryptography-based key generation in IoT devices poses new challenges despite their scalability for security. Inadequate entropy in the hardware random number generators (RNGs), revealed by market research, used by billions of IoT devices may compromise the generation of unique and unpredictable device keys. Directly issuing valid certificates to such keys may potentially weaken the overall security of the IoT ecosystem. Securing a signing infrastructure in a manufacturing setting is also challenging due to evolving cybersecurity threats in supply chain.

Another noteworthy use case involves non-PKI based keys from popular licensing authorities like Google Widevine, Microsoft PlayReady, Apple FairPlay, and others. These keys, which cannot be generated by the devices themselves, must be obtained from the respective authorities. As a result, CSR-based or similar methods are not applicable in this scenario. It is vital to securely distribute and install a unique key for each device, ensuring that it is not reused for a different device.

If you need to install unique keys and certificates on high-volume devices as part of your manufacturing process, PKIWorks™ Complete – a fully managed key and certificate provisioning service – is the solution for you.