PRIVATE KEYS…. ARE THEY??

Inline of “insider” zero trust, let’s say that we carried out our due care, and replaced all self-signed certificates, which we used for managing our systems.

The new “replacing” certificates are now signed by our internal intermediate CA, which is fantastic.

In the joy of testing and verifying the new certificates, we might have forgotten that along with them, we placed their associated private keys on the same system/device … This simply means that a system admin with PKI privileges have access to these keys.

One may argue that a good PAM approach should mitigate this issue. However, do you know for sure what level of access is given to whom and on what device? Do you know the answer to this question for every device in your environment?

I would say, it is time to systematically manage your private keys, it is time to install a HSM solution, even for those private keys used with web console certificates. This way you have a central respiratory of private keys and you know exactly who is managing this HSM system. Furthermore, this HSM system can be used to host your internal root CA.

A HSM system is not a nice to have anymore, it is a must have. It can also be used as a central PKI management system to sign, renew and revoke digital certificates.

Futurex’s Exrypt SSP Enterprise v.2 is the fastest HSM in the world. It is complemented with VirtuCrypt virtual and cloud HSM offerings for hybrid deployments too.

Finally, Futurex users can create and deploy virtual HSMs with the Futurex Client Library (FXCL) and the Futurex Command Line Interface (FXCLI), with user-focused scripting and automation capabilities.