As organizations embrace a digital-first approach, one key decision looms large: which public key infrastructure (PKI) solution to choose. PKI forms the backbone of many security mechanisms – enabling authentication, digital signatures, and encrypted communications.
However, when it comes to selecting between public and private PKI, there’s no one-size-fits-all solution, especially with evolving regulations like eIDAS 2.
In my upcoming presentation at Keyfactor Tech Days, I’ll delve deeper into how digital trust and TLS, S/MIME, Code Signing public certificates and Qualified Trust Services are evolving, exploring emerging trends that will reshape the cybersecurity landscape.
The Role of Public TLS and Private PKI
Public TLS certificates, also known as the “WebPKI” are the most common form of trust people recognize when visiting a website. Trusted by popular browsers, these certificates authenticate and encrypt public-facing services, ensuring users connect to legitimate sites. Public TLS is straightforward – easy to implement, universally accepted, and sufficient for everyday use.
However, due to the lack of other public trust frameworks and the lack of “dedicated use case” Public PKI hierarchies, the WebPKI has also been used, historically, by more than just popular browsers. Operating System vendors and other application software suppliers/service providers have been offering software solutions using WebPKI Root CAs as trust anchors for their TLS server (and client) authentication use cases. SMTP, IMAP, LDAP, FTP and lots of other protocols/use cases were able to “enable SSL/TLS” by utilizing Public TLS Certificates. What does the future look like for these “non-Browser” use cases?
Private PKI, in contrast, is often chosen by businesses with more customized security needs. A private Certificate Authority (CA) provides full control over security policies, cryptographic keys, and regulatory compliance. For businesses managing sensitive data, a Private PKI offers autonomy and flexibility that public solutions can’t match.
eIDAS (Electronic Identification, Authentication and Trust Services) is a European Union framework that sets standards for digital signatures and electronic transactions. The real breakthrough of eIDAS is the legal weight it provides – digital signatures are no longer just secure; they’re legally binding. With eIDAS 2, this framework is evolving to bring stricter compliance demands, but also new Trust Services and Digital Identity Wallets that will bring a revolution on how citizens/legal entities digitally interact with other citizens/legal entities and governmental services.
Public vs. Private PKI: The Trade-Offs
Public TLS is widely trusted and simple to implement, but it lacks flexibility. You’re dependent on a third-party CA, strict rules mandated by CA/Browser Forum and Browser Root Store Policies, which may not align with your internal security policies. While it’s convenient, this lack of control can be limiting and, in some cases, disruptive if not prepared for it (e.g. during a certificate mass-revocation/replacement event where certificates must be revoked within 24h by your third-party CA).
Private PKI, on the other hand, offers greater flexibility and control. However, it comes with added complexity.
Managing a private CA requires infrastructure, expertise, carefully designed policies and ongoing maintenance –it’s not a “set it and forget it” solution. The question is: do you prioritize convenience and broad trust (Public TLS), or control and customization (Private PKI)? We see more and more public CAs offering managed services/Private PKI solutions that seems to provide a good balance between flexibility/control and security (public CAs already have the competency, expertise, infrastructure and baseline security policies in place).
In the years to come, especially when the WebPKI introduces stricter policies (e.g. 100 or 47-day maximum certificate validity) that require website operators to implement automation for certificate lifecycle management, what is the best path forward for Public PKI “non-Browser” and websites “not accessible from the public Internet” use cases? Those that cannot automate certificate lifecycle management on time, perhaps moving to a Private PKI might be the best solution.
Looking Ahead: The Impact of eIDAS, Public and Private PKI on Digital Trust
The future of digital trust requires informed, forward-thinking decisions. Keyfactor Tech Days will be a great chance to come together and learn how to stay ahead of the cybersecurity curve. In my session, I’ll explore how eIDAS, Public and Private PKI are changing in the digital trust landscape.
Moreover, with eIDAS already a successfully established and tested trust framework covering cross-border transactions, non-EU Countries are adopting the same or very similar frameworks in their national legislation, accelerating convergence and legal acceptance of digital signatures at a global scale.
As such, I hope you’ll join me at Keyfactor Tech Days in Miami Beach as we dive deeper into how these trends impact our digital future.
Keyfactor Tech Days – Grab your ticket here! Join us for an unforgettable journey toward a future of secure, scalable, and automated digital trust.
