Deployment models for Zero Touch PKI¶
Zero Touch PKI supports two deployment types: fully hosted and hybrid. While fully hosted deployments are fast and cost-effective, hybrid deployments help you comply with regulations or internal policies by retaining custody of part of your private PKI, such as the private keys or root certificate authorities (CAs).
This topic outlines your deployment options, including custom designs.
Fully hosted¶
CyberArk hosts your complete private PKI including CAs, certificate revocation lists (CRLs), services, and connectors. We also handle all operations.
To speed migration from your legacy infrastructure, CyberArk offers:
-
CA cross-signing: A Zero Touch PKI root CA is issued a certificate signed by your legacy root CA. Use this option when older devices cannot easily update their trust store. Once the legacy root CA certificate expires, this trust chain is invalid.
-
CA migration: Relocate an existing root CA into Zero Touch PKI. You need to be able to transfer your CA private key securely, so this option is uncommon.
Choose a fully hosted deployment when you want to offload your private PKI and deploy more quickly.
Hybrid: bring your own root¶
You host the root CA and its private key. The root CA remains offline except to sign subordinate CA certificates, which you can revoke without CyberArk intervention.
Zero Touch PKI hosts intermediate and issuing CAs and their private keys, creating a trust chain without a direct connection. It can also host your CRL for global availability.
Choose bring your own root when you want the benefits of hosted PKI while retaining root CA control.
Hybrid: bring your own HSM¶
You store all or some of Zero Touch PKI's private keys on your own hardware security modules (HSMs), connected over a dedicated VPN. Certificate signing that relies on keys in your HSMs takes place in your environment.
Choose bring your own HSM when you want the benefits of hosted PKI while retaining custody of sensitive keys.
Hybrid: custom designs¶
CyberArk supports custom designs. For example, keep private keys for sensitive CAs in your own HSMs while hosting other CAs in Zero Touch PKI for high-volume issuance with no dependencies.
Choose a custom design when your use case requires it. For more information, contact your CyberArk representative.