Implementing PKI for use within an organization requires much thought and planning. To determine how the capabilities will be used, it is important to understand why you need PKI in the first place and the impact it will have on the organization. The best practices associated with using PKI within a large organization can be determined by answering the following questions:

• What are the business drivers for using PKI within the organization? Are you implementing it for eBusiness? Are you requiring it for integrity, confidentiality, authentication, or nonrepudiation? What is the problem that the enterprise or organization is trying to solve?
• What applications will be using PKI? Is it being used for secure email, communications, or transactions?
• What does the PKI architecture look like and how will it be used? Do all users require the same values and policies or will they need to be managed separately? What encryption algorithms and key lengths will be used in the certificates? Will certificates be used for digital signing and encryption?
• What impact will this implementation have on the users, customers, and business partners? How will the users be educated on the technology, and how and when should it be used? Who will develop the necessary policies that affect the users, and how will they be trained?
• Where will the infrastructure reside? Will various components be outsourced, or will they all be located in-house? Who will support the infrastructure, and what are expectations around support and disaster recovery?
• Can the current organizational infrastructure support the technology? Is the network bandwidth acceptable?
• Which databases will be used for PKI? Will existing databases be used to streamline enrollment? Will revoked and expired certificates be left in the database? Will a certificate repository be integrated with user account management?
• What are the legal and policy considerations for the CA? How will certificates be renewed? What are the procedures associated with requesting and revoking certificates? Are the policies documented?
• What are the trust relationships and how are they established? What trust model will the PKI use? Do the products support this model? How will you distribute the trusted root’s signed certificates to the PKI users?
• How will PKI be deployed? Who are the vendors and how will they support you? How will you install the systems? Who will be trained on the systems? How will you test the system? How will you put the system into production?
• Who will have access to the systems and how will this access be monitored? How will the organization grow with the systems and the resources that are provided?

Understanding the components associated with the entire implementation, infrastructure, and deployment will provide a successful PKI within a large enterprise or organization.