Issuing client certificates to customers
Solution 1:
A professional certificate authority business has more experience in securing CA transactions and can handle that outsourced, for a fee. This may be $10 a certificate but it can likely meet government or commercial standards that are applicable to regulated industries and general risk transfer (off your company).
While $10 a pop may be daunting, keep in mind that a CA will also pick up for you all proper costs associated with running a real CA
- Certificate Authority Physical Enclosures
- Trained PKI staff
- Certificate Policy (CP)
- Certificate Practice Statement - (CPS) an SOP on how it works
- Annual Auditing via an independent auditor
- hardware security module procurement and operation
- certificate authority software operation (root CA)
- certificate authority software operation (Sub CA)
- validation authority software operation
- servers
- datacenter space
- security auditing of above infrastructure
Working with a CAs could enable you to run a registration authority that determines who will get credentials, and hand off the more painful part to a CA, depending on the specific model of that CA.
Windows based PKI implementations are generally insecure, have online and easily compromised PKIs that expose companies to risk. They rarely use HSMs, and a domain admin compromise can yield a complete PKI compromise.
Standard digital certificates can be used for both accessing websites, as well as logon to domains, email encryption, signatures and physical entry, depending on the certificate and object IDs (OIDs). Digital certificates can be in software (vulnerable to theft) or hardware (more secure, but still compromise-able via malware MITM attacks).
Many companies faced with the same decision as you partner with a PKI provider that will advise. But, there are several models for this
- train staff up and go internal
- engage a consultant and go internal
- use an external provider
- hybrid internal and external
You can easily issue an RFI to several different CAs and PKI providers in order to determine their costs, and sample implementations they have performed for similar requirements as yourself. With a more detailed RFP, you could do extensive cost comparison between running PKI services internal to your company, outsourcing it, or a hybrid.
With above data, and knowing your company's core competencies, you are prepared to make that decision about whether you should do it internally, externally, and with whom. Even if you decide to stay internal, you'll have learned a great deal more in the process.