You may also have a number of other servers that are not external facing and will not need publicly rooted certificates. These servers, however, may still need authentication and signing capabilities to establish a secure TLS session with other internal servers or applications. The root of trust for these servers would be a private Certificate Authority CA; a CA of your own.

With a Private CA (or “Private PKI”) solution, you can brand the certificates for your servers, devices, and users. Since the purpose of this CA is to serve your organization only, it will provide a tighter control when its Public Key Infrastructure (PKI) is used for internal user authentication. For this reason, Private PKI is immensely popular for deployment in enterprise IT, as well as cloud-native DevOps and Internet of Things (IoT) environments.

While a Root CA acts as the root of trust, an Issuing CA is responsible for dispensing certificates to end entities, such as, a device or user.

Here are three deployment architectures to consider when looking to maximize security for your internal communications.

Three Deployment Scenarios

1. Security vendor hosts the Private Root CA as well as Issuing CA(s) for you on the cloud,
2. Your organization hosts the Private Root CA of your choosing and the security vendor hosts the Issuing CA(s) for you,
3. The security vendor hosts the Private Root CA and your organization hosts issuing CA(s) of your own