PKI Recommended Reading / Study List

Our Recommendations

We are contacted regularly regarding recommended reading and study material about PKI. Over the years we have come across many books, study guides and whitepapers that have helped define the PKI space. These books are by no means our only go to sources, but they represent the top of our must-read list.

The books listed here range from a primer on cryptographic algorithms, hashing, and signing all the way through PKI concepts and policies. We encourage anyone who wants to get started in the PKI space, or those looking to expand their knowledge to consider this material as essential guides for the space.

We have no vested interest in these books or your purchase of them. We are advocates in the ecosystem and want to share with you our personal list of references you should have in your own reference library,

Introduction to Cryptography

Hans Delfs, Helmut Knebl

One of the best references we have found for understanding the cryptographic under-pinning of your PKI. Introduction to Cryptography is suitable for anyone interested in the mathematics and algorithms that define and protect the certificates we create in PKIs.

Designed for both the novice as well as advanced subject matter experts, the book is a great place to get an overview of hashing and encryption processes. If you desire to dig deeper into any algorithms, the proofs and process are laid out for further reading.

The history of standards and algorithms are explored as well as uncovering the now know weakness and challenges with older algorithms.

While the book pre-dates the current efforts around quantum resistant algorithms, you will have a better idea why older algorithms such as RSA and ECC are susceptible to these new attack vectors.

Aside from the equipment, software and tools required to operate a PKI, the principles of policies, procedures and controls define how trustworthy a PKI really is. Understanding how organization should and should not control and operate their PKI is paramount to properly deriving value from your PKI.

In this book, J.J. Stapleton and W. Clay Epstein layout the basic framework of the Certificate Policy and Certificate Practice Statement. These documents define the overall posture, operation and security procedures of a well-defined PKI.

Whether you are a private organization with no audit requirements or external partnerships, or you are subject to external annual audits, this book walks you through not only what it takes to define these policies, but how you should architecture, write and operate your PKI.

In a world of PKI, it's not about what your obscure, but how you protect what you have in a model of exposure to participating parties.

Security without Obscurity

J.J. Stapleton, W. Clay Epstein

Windows Server 2008 - PKI and Certificate Security

Brian Komar

While it is now dated and out of print, the most applicable text for anyone learning, supporting or designing a Microsoft Active Directory Certificate Services based PKI is the MS Press book. This book written by Brian Komar is the latest book from Microsoft on the subject and provides product specific PKI knowledge and implementation guidance.

The book is broken down into standards and concepts, and then covers use-case specific approaches to the most common PKI related certificate needs. Whether its learning about certificate RFCs, bridging CAs or deploying a three-tier PKI, the book provides an outline and many samples.

We do provide a free errata service for the book, so if you are looking to use the book as a guide for your environment, be sure to check out our list.

The book is also difficult to find as it is out of print. Copies do pop-up in the used marketplace and there are also PDF versions of the book around as well.

Our top pick for whitepapers is the little-known paper from Microsoft IT entitled Securing Public Key Infrastructure (PKI).

Released with little fanfare in 2016, Microsoft IT create this whitepaper to document the best practices, controls, monitoring, auditing and processes for securely operating a Microsoft ADCS based PKI. Based on years of experience operating their own internal PKI, the Microsoft IT team created this set of recommendations for any organization to implement in their practices.

Focused primarily on the technical security, configuration and operation of the software component of the PKI, the whitepaper is an excellent guide to augment your existing PKI knowledge. Unfortunately, there is little to no coverage of ancillary components such as Hardware Security Modules, or third party operating systems.

This whitepaper is available for review on the Microsoft website or for download and offline reference as a PDF.

Securing Public Key Infrastructure (PKI)

Microsoft IT

BulletProof SSL and TLS

Ivan Rustic

An excellent overview of the most commonly used certificate type in the world - Server Authentication. SSL and TLS has a long history that intertwines with the design and implementation of secure (and insecure) PKIs around the world.

In this book, Ivan Rustic covers not only the basics of SSL and its successor - TLS, but also covers the security, controls and issuance of certificates. In addition, he does a great job covering the SSL/TLS handshake process.

His coverage of many of the seminal moments in public PKI issues over the years - such as Diginotar and it's subsequent demise is a captivating read.

Whether you are directly work with TLS specific applications such as Web Servers, or not, this book does an excellent job expanding on your PKI knowledge to explain how the PKI plays an important role in the security of the world's information.

Lastly, the book does an excellent job discussing certificate cryptographic algorithms versus ephemeral TLS keys and algorithms. Most organizations have a need to eliminate week crypto protocols and this is done at the TLS level - not in the TLS certificate.