Pitfalls Of On-Premises Private PKI: Here Are 6 Things That Could Go Wrong

Public key infrastructure (PKI) offers a simple yet efficient way of provisioning, managing, and securing machine identities. With identity and trust at its heart and a powerful combination of authentication and encryption capabilities, PKI helps organizations ensure data privacy, integrity, and security as well as authorize, validate, and authenticate digital identities. However, managing PKI and machine identities continues to be a challenge for enterprise organizations leaving them exposed to security incidents and outages.

A component of enterprise PKI is an on-premises private certificate authority to issue certificates for internal use cases that only require private trust. Common on-premises PKI offerings include Microsoft CA and PrimeKey (Keyfactor) EJBCA that are set up and run within an organization’s IT infrastructure and administered and governed by an internal PKI team. Now, as cloud adoption has been added to the mix and infrastructures have grown significantly, these on-premises PKI deployments have become overly complex to manage and expensive to maintain and scale. Given the many challenges of on-premises PKI deployments, organizations are now looking for cloud-based alternatives.

Learn how to elevate your approach to private PKI

Things That Could Go Wrong with On-Premises PKI

While managing private PKI on-premises, there are several things that could go wrong, which can result in significant business losses, disruptions, or security risks. Let’s look at some common pitfalls associated with operating your own in-house or on-prem PKI.

1. Failed Audits and Non-Compliance: Legacy on-premises PKI that was designed and deployed in the past for a specific purpose, may no longer meet proper security standards. Failure to follow best practices, such as not using compliant HSMs to protect keys and not implementing appropriate governance and policies, can result in failed audits, compliance issues, and significant security vulnerabilities. A PKI assessment that uncovers weaknesses may result in an expansion of the audit’s scope, failure, and increased future scrutiny. Business disruptions may also occur until the audit findings or violations are remediated.

2. PKI Team Churn: Managing an in-house PKI is a resource-intensive process that requires skilled PKI personnel to handle the deployment, ongoing operations, and maintenance. However, PKI expertise is hard to come by given it is a unique technology, and there is an overall cybersecurity labor shortage. This makes it very difficult to find and retain skilled PKI professionals that are needed to deploy and maintain on-prem PKI.When PKI team churn takes place, enterprises struggle to continue operating and maintaining a compliant and efficient on-prem PKI. Legacy on-prem PKI and processes, designed by former staff, are often left in the hands of IT members that are already resource-constrained. Or worse, the on-prem PKI falls into inexperienced hands, where minor errors result in a major outage or security incidents.

3. Lack of Scalability and Operational Efficiency: As organizations expand in size, organically or through acquisitions, the number of required certificates grows proportionally. As a result, enterprises need to scale their PKI to accommodate higher capacity and throughput for issuing higher volumes of certificates. Therefore, a private PKI needs to be scalable and capable of expanding and adapting in an agile manner without needing extensive effort. However, with on-premises PKI, this is a significant challenge. On-premises PKI is not flexible by nature, and scaling takes months of intense planning as well as additional hardware, resources, maintenance, dedicated staff, and security procedures—all of which are time and cost-intensive. On-premises PKI also does not include built-in Certificate Lifecycle Management (CLM) automation which must replace manual processes to effectively and efficiently manage large volumes of certificates. Manually tracking and managing high volumes of certificates from discovery and inventory to provisioning and renewal is highly inefficient and error-prone resulting in outages and security vulnerabilities.

4. High Total Cost of Ownership (TCO): There are a number of expense factors that organizations must consider when deploying and maintaining PKI in-house. In reality, the cost of software and hardware for the PKI solution is often a minor component of the overall cost of ownership for an on-prem PKI solution. Human resource costs are a significant recurring expense given skilled PKI personnel are required to design, implement and manage the in-house PKI.Enterprises often encounter further unbudgeted expenses when building and maintaining a compliant and secure on-premises PKI, which include:

  • Acquisition and maintenance of Hardware – Servers, HSMs, Load balancers, Backup Devices
  • Acquisition and maintenance of software – Windows Server licenses
  • Secure facilities, data center, and equipment access
  • Policy development and monitoring
  • Certificate lifecycle management
  • Highly available validation infrastructure (Certificate Revocation List (CRL)/Online Certificate Status Protocol (OCSP))
  • End-user assistance
  • IT training
  • Backup and disaster recovery
  • Resources for scalability to support user and application development

5. Lack of Support for New Technologies and Use Cases: PKI use cases have evolved considerably over the years, and new use cases are still developing at a rapid pace. For example, the rise of multi-cloud, DevOps, IoT, and remote work policies have moved the security emphasis from perimeter protection to securing everything with trusted identities. Unfortunately, traditional on-prem PKI struggles to keep pace with these changes.Every use case has a different certificate prerequisite, for example, containers require short-lived certificates that must be provisioned frequently. Modern PKI use cases, such as IoT, DevOps, and cloud, require auto-enrollment protocols such as EST and ACME that are not available with traditional on-prem PKI.

6. Expiring Hardware and Software: To manage on-premises PKI, you need expensive hardware and software including HSMs for encryption and storing private keys, dedicated servers, and load balancers. The hardware also needs to be refreshed or replaced periodically as it reaches the end of life and/or end of support in order to remain secure and compliant. Having to refresh servers and upgrade server software that runs your internal CAs for example, is not only costly but also may result in re-designing the PKI and having to learn new processes.

How AppViewX PKI+ Can Solve Your Problem?

AppViewX PKI+ is a turnkey, scalable, and compliant PKI-as-a-Service. Using AppViewX PKI+, enterprises can set up a robust and secure private CA hierarchy in minutes and start issuing private trust certificates right away. There is no PKI expertise required and no hardware or software to buy or manage. Instead, the management and security of your enterprise-grade PKI are handled as a cloud service by AppViewX, allowing your team to concentrate on more critical aspects of your business.

Additionally, using the AppViewX Lift and Shift migration feature, you can streamline your migration from an on-premises PKI, like Microsoft CA, to a cloud-native AppViewX PKI+ within hours.

Together AppViewX PKI+ and CERT+ provide modern private PKI and end-to-end certificate lifecycle automation for provisioning and managing private certificates as well as public certificates from external CAs, all from a single platform.

Talk to an expert today to learn how you can modernize and simplify your private PKI and maximize security and compliance with AppViewX PKI+ and CERT+.


  • ACME
  • Certificate Lifecycle Automation
  • certificate revocation
  • DevOps
  • private PKI

About the Author

Debarati Biswas

Senior Specialist- Product Marketing

A content creator and a lifelong learner with an ongoing curiosity. She pens insightful resources to address the pain points of the readers and prospective buyers and help them make well-informed decisions.

More From the Author →

Related Articles

Why Securing Ingress With TLS Is Key To Achieving Strong Kubernetes Security

| 6 Min Read

5 Challenges Of Managing Digital Certificates In The Kubernetes Environment

| 10 Min Read

11 Ways To Defend The Software Supply Chain From Code Signing Abuse

| 9 Min Read