Mature Enterprise PKIaaS — Reference Architecture
Cloud-Native PKIaaS · HSM-Backed · Zero Trust · DevSecOps Supply-Chain Security
SIGNS
ISSUES
SIGNS
ISSUES
REPORTS
🔑 Certificate Authority Trust Hierarchy — Hosted & Managed by PKIaaS Provider
🏛️
Offline Root CA
RSA-4096 / ECDSA P-384
HSM-backed · Air-gapped
Provider-managed
PKIaaS SLA
→
🔐
Policy CA
Enforces CP/CPS
Cross-org constraints
No direct issuance
→
Issuing CAs
💻
Device
SCEP/NDES
MDM-enrolled
·
👤
User
VPN · SSH
Email/S/MIME
·
✍️
Code Sign
CI/CD Pipeline
Commit · Build
·
⚙️
Workload
SPIFFE/SPIRE
Short-lived
·
🌐
TLS/Web
Internal HTTPS
+Public Trust CA
🔷
Enterprise PKIaaS Platform
Cloud-Hosted · HSM-Backed · FIPS 140-2 Level 3 · 99.99% Availability SLA
CA Engine
CA core · Policy enforcement
Multi-tenant cert issuance
Certificate Lifecycle Mgr
Certificate lifecycle mgmt
Inventory · Discovery · Alerting
Code & Doc Signing Service
Code · Container · Document
Timestamping Authority (TSA)
OCSP / CRL / AIA
CDN-hosted global revocation
Auto-publish · Always-available
ACME
SCEP
EST
CMP
REST API
SPIFFE / SPIRE
Terraform
Vault PKI
cert-manager
📡 Network & Endpoint Auth
💻
Corporate Endpoints
Windows · macOS · Linux
MDM-enrolled via Intune / Jamf · Auto-enroll via GPO
Auto-Enroll
📱
Mobile Devices (BYOD)
SCEP via Intune NDES proxy
Per-device unique cert · Revoked on unenroll
SCEP
📶
802.1X WiFi / Wired
EAP-TLS — device cert auth only
No cert = no network. No passwords.
EAP-TLS ✓
🔀
RADIUS / NPS
Cert-based policy enforcement
Cisco ISE · Aruba ClearPass integration
🔒
VPN (Cert-Based)
Palo Alto / Cisco AnyConnect
User + Device cert required · No PSK/passwords
mTLS ✓
🖨️
Network Infrastructure
Switches · APs · Printers · IoT / OT
EST / SCEP zero-touch auto-renewal
EST
⚙️ DevSecOps CI/CD Pipeline
👨💻
Developer Identity
SSH Cert Auth
↓
🐙
SCM — Signed Commits
GPG / SSH ✓
↓
⚡
CI Platform — Build
OIDC Token
↓
✍️
Code Signing Gate
HSM Sign ✓
↓
🐳
Container Image Signing
Cosign / Sigstore
↓
⛵
Helm Chart Signing
Provenance ✓
↓
📦
Artifact Repository
Signed Artifacts
↓
☸️
K8s Admission Webhook
Unsigned = BLOCKED
☁️ Cloud Workloads — mTLS Fabric
🔷
Azure — AKS / App Services / Functions
Workload Identity + cert-based auth · Azure Key Vault integration
ACR with signed image enforcement via admission policy
AKS
🌐
GCP — GKE / Cloud Run / Artifact Registry
Workload Identity Federation · GCP Secret Manager integration
Artifact Registry with signed container enforcement
GKE
🕸️
Service Mesh (Istio / Linkerd)
SPIFFE/SPIRE · Every svc-to-svc call is mTLS · Auto-rotated identities
PKIaaS issues SPIFFE SVIDs via ACME/EST integration
mTLS ✓
⏱️
Short-Lived Workload Certs
TTL: 4–24hr · Auto-issued via ACME/EST · No long-lived secrets in env vars
Rotation failure = cert expires → workload fails safe by design
ACME ✓
🔑
Secrets Backend Integration
Azure Key Vault · GCP Secret Manager · HashiCorp Vault PKI
PKIaaS as upstream CA for Vault PKI secrets engine
📊 Observability & Governance
🗂️
Certificate Inventory (CLM Platform)
Full estate visibility across cloud + on-prem · Auto-discovery scanning
Every cert: who issued it, where it lives, when it expires
Live
🔔
Expiry Alerting & Zero-Touch Renewal
90/60/30/7-day thresholds · Slack · PagerDuty · ServiceNow tickets
ACME/EST auto-renewal workflows — cert expiry incidents become extinct
0-Touch ✓
🛡️
SIEM / SOC Integration
Cert events → Splunk / Microsoft Sentinel
Revocation anomalies · Unauthorized issuance · Mass-expiry detection
📋
Compliance & Audit Reporting
SOC 2 · FedRAMP · PCI-DSS · HIPAA — automated evidence export
Who requested · Who approved · What was issued · Timestamped audit trail
Audit Ready
🔭
Shadow IT / Rogue Cert Discovery
Network scans · Passive TLS intercept · Cloud asset tagging
Unknown / self-signed certs surface automatically — nothing hides
Scanning
🤖
IaC / GitOps Integration
Terraform PKI provider · Helm cert-manager issuer plugin
Certs declared in code — infrastructure review = certificate review
GitOps ✓
⚠️
Legacy → Replaced:
On-Premises CA Platform — Issuing CAs expired · Aging hosting infrastructure decommissioned · No OCSP SLA · Manual renewal · Zero certificate inventory or lifecycle visibility
Decommissioned