White Paper

PKI goes Cloud

How to trust in a cloud-based Public Key Infrastructure (PKI).

PKI as a crucial part of IT security

In 2021 more and more enterprises are shifting relevant IT infrastructures to the cloud. To facilitate operational streamlining, security related platform services (PaaS) are becoming increasingly more popular, in order to support the often existing (multi-)cloud setup. A traditional and crucial part of IT security is the Public Key Infrastructure (PKI). Most of the activities performed by the PKI are aimed at ensuring trust towards the infrastructure. These activities include putting up authentication-hurdles, placing keys in tamper-protected hardware security modules and establishing multi-eye principles. Therefore, to many security managers it seems unimaginable to move the PKI into the cloud.

Cloud-based but trustworthy

Meanwhile, the list of advantages of a cloud-based PKI service also from a security-based point of view keeps growing. Given the high operational overhead, high costs and inflexibility of an on-premises PKI, deploying a PKI as a cloud service is worth considerating, regardless of the size of the organization. The big cloud providers are working hard to gain the necessary trust, tailoring their services in a way that keeps essential tasks within the control of their customers.

A deep dive into on-premises compared
to cloud-based PKI

Topics such as automation and basic monitoring of API enable enormous advantages over the years of on-prem practice. This is why Spike Reply developed a PaaS-internal PKI service which is superior to on-premises PKI in terms of operational efficiency, cost-savings and flexibility. The solution uses the Amazon Web Services (AWS) Certification Manager Private Certification Authority (ACM PCA) and is operated in a growing number of enterprises as best practice deployments. This proves the time to move the PKI tasks to the cloud is now.

Diving deep into the advantages and disadvantages considering essential PKI features such as Certification Authority (CA), Validation Authority (VA) and Registration Authority (RA) the security experts compare traditional on-premises PKI setups to the opportunities the AWS service offers.


Spike Reply is the specialist for IT security within the Reply Group. Spike Reply specializes in secure IT and the protection of personal data. Spike Reply has created a comprehensive, integrated and consistent offering to identify, minimize and maximize all aspects of the risk associated with an information system. These range from the identification of threats and weak points to the planning, design and implementation of the corresponding technological, legal, organizational, underwriting and risk-limiting countermeasures.