PKI Recommended Reading / Study List

Our Recommendations

We are contacted regularly regarding recommended reading and study material about PKI. Over the years we have come across many books, study guides, and whitepapers that have helped define the PKI space. These books are by no means our only go-to sources, but they represent the top of our must-read list.

The books listed here range from a primer on cryptographic algorithms, hashing, and signing all the way through PKI concepts and policies. We encourage anyone who wants to get started in the PKI space, or those looking to expand their knowledge to consider these materials as essential guides for the space.

We have no vested interest in these books or your purchase of them. We are advocates in the ecosystem and want to share with you our personal list of references you should have in your own reference library,

Introduction to Cryptography

Hans Delfs, Helmut Knebl

One of the best references we have found for understanding the cryptographic under-pinning of your PKI. Introduction to Cryptography is suitable for anyone interested in the mathematics and algorithms that define and protect the certificates we create in PKIs.

Designed for both the novice as well as advanced subject matter experts, the book is a great place to get an overview of hashing and encryption processes. If you desire to dig deeper into any algorithms, the proofs and process are laid out for further reading.

The history of standards and algorithms are explored as well as uncovering the now know weakness and challenges with older algorithms.

While the book pre-dates the current efforts around quantum resistant algorithms, you will have a better idea why older algorithms such as RSA and ECC are susceptible to these new attack vectors.

Aside from the equipment, software, and tools required to operate a PKI, the principles of policies, procedures and controls define how trustworthy a PKI really is. Understanding how organizations should and should not control and operate their PKI is paramount to properly deriving value from your PKI.

In this book, J.J. Stapleton and W. Clay Epstein lay out the basic framework of the Certificate Policy and Certificate Practice Statement. These documents define the overall posture, operation, and security procedures of a well-defined PKI.

Whether you are a private organization with no audit requirements or external partnerships, or you are subject to external annual audits, this book walks you through not only what it takes to define these policies, but how you should architecture, write and operate your PKI.

In a world of PKI, it's not about what your obscure, but how you protect what you have in a model of exposure to participating parties.

Security without Obscurity

J.J. Stapleton, W. Clay Epstein

Windows Server 2008 - PKI and Certificate Security

Brian Komar

While it is now dated and out of print, the most applicable text for anyone learning, supporting or designing a Microsoft Active Directory Certificate Services based PKI is the MS Press book. This book written by Brian Komar is the latest book from Microsoft on the subject and provides product specific PKI knowledge and implementation guidance.

The book is broken down into standards and concepts, and then covers use-case specific approaches to the most common PKI-related certificate needs. Whether it's learning about certificate RFCs, bridging CAs, or deploying a three-tier PKI, the book provides an outline and many samples.

We do provide a free errata service for the book, so if you are looking to use the book as a guide for your environment, be sure to check out our list.

The book is also difficult to find as it is out of print. Copies do pop up in the used marketplace and there are also PDF versions of the book around as well.

Our top pick for whitepapers is the little-known paper from Microsoft IT entitled Securing Public Key Infrastructure (PKI).

Released with little fanfare in 2016, Microsoft IT create this whitepaper to document the best practices, controls, monitoring, auditing, and processes for securely operating a Microsoft ADCS based PKI. Based on years of experience operating their own internal PKI, the Microsoft IT team created this set of recommendations for any organization to implement in their practices.

Focused primarily on the technical security, configuration, and operation of the software component of the PKI, the whitepaper is an excellent guide to augment your existing PKI knowledge. Unfortunately, there is little to no coverage of ancillary components such as Hardware Security Modules, or third-party operating systems.

This whitepaper is available for review on the Microsoft website or for download and offline reference as a PDF.

Securing Public Key Infrastructure (PKI)

Microsoft IT

Now in its Second Edition printing: Here's what changed since the first edition: 1) The TLS 1.3 chapter is brand new and the Configuration chapter has been completely rewritten; 2) With exception of possibly two chapters, most other chapters have seen heavy updates and rewrites; 3) The last four chapters from the first edition are no longer in the book.

An excellent overview of the most commonly used certificate type in the world - Server Authentication. SSL and TLS have a long history that intertwines with the design and implementation of secure (and insecure) PKIs around the world.

In this book, Ivan Ristic covers not only the basics of SSL and its successor - TLS, but also covers the security, controls, and issuance of certificates. In addition, he does a great job covering the SSL/TLS handshake process.

His coverage of many of the seminal moments in public PKI issues over the years - such as Diginotar and its subsequent demise is a captivating read.

Whether you are directly working with TLS specific applications such as Web Servers, or not, this book does an excellent job expanding on your PKI knowledge to explain how the PKI plays an important role in the security of the world's information.

Lastly, the book does an excellent job discussing certificate cryptographic algorithms versus ephemeral TLS keys and algorithms. Most organizations have a need to eliminate weak crypto protocols and this is done at the TLS level - not in the TLS certificate.