Modernize Your Legacy PKI with Bring Your Own Root


Linda Ikechukwu

Follow Smallstep

Bring Your Own Root to Smallstep

We’re excited to announce that Bring Your Own Root is now available on the Smallstep Platform.

What does Bring Your Own Root mean for you?

If you used the Smallstep platform for certificate, authentication, or encryption management before the BYOR feature, your entire chain of trust (root CA certificates and intermediate CA certificates) would be created and controlled by Smallstep. This meant that Smallstep was responsible for creating, storing, and protecting the root signing key.

However, we realized that this approach may not always be optimal for some organizations. For example, organizations with existing legacy PKI may not find it easy or even feasible to overhaul or deploy/distribute a new root or chain of trust across their device fleet or infrastructure. Additionally, organizations in regulated industries with specific requirements around root key storage need to have absolute control over how their root keys are stored and protected. We have decided to meet such organizations where they are.

With the new BYOR feature, organizations have full control of their root while using the Smallstep platform to automate certificate management and authentication.

Now, when creating a new hosted authority on the Smallstep Platform, you can upload your own root certificate. After uploading the root, you will be prompted to set the details for your intermediate CA, after which we create an intermediate private key and a CSR. You can download the CSR and sign using your root private key, resulting in the final intermediate CA certificate. The intermediate CA certificate then has to be uploaded and it will be verified using the previously uploaded root certificate.

The Smallstep platform will store and control the intermediate CA certificate and its corresponding private key. These will then handle online certificate signing requests for your existing systems or new deployments.

Benefits of Bring Your Own Root

Full control over how your root signing keys are created and stored

With BYOR, your organization can maintain complete control over your root signing key(s), while still using the Smallstep Platform.

As previously mentioned, we were responsible for creating, storing, and protecting the root signing key. However, because this key serves as the foundation of trust for an organization's trust domain, it can pose an unacceptable risk. With BYOR, the root key is only required during the signing of the intermediate CSR, all of which can happen within your own infrastructure. The key never has to be accessible by our platform.

Full control also means that you can use your preferred tooling and supported key ceremonies to create the root key and certificate according to your environment or industry requirements.

Opportunity to get rid of long-lasting intermediate signing keys

The traditional PKI process (workflow) takes a long time, which leads organizations to create intermediate certificates and signing keys that do not expire for a year or more. (But, long-lasting certificates can be a potential security nightmare). By connecting your existing root to the Smallstep Platform, you can easily rotate your intermediate signing keys without much fuss. This improves the security of your PKI.

Try It Out

Note: BYOR is only available on Advanced Authorities.

Follow the instructions here on our knowledge base to get started (you must be logged into your Smallstep account to reach the knowledge base). And if you encounter any issues, please do not hesitate to contact support. May the force be with you!

About the author: Linda is an educator at heart, and her superpower is demystifying complexity. Since joining SmallStep as a developer advocate, her new mission is now to demystify and educate about PKI and digital certificates :)