PKIaaS Architecture Overview
System Architecture
PKIaaS is built as a scalable, enterprise-grade Public Key Infrastructure service using Laravel 12 with comprehensive protocol support and Microsoft enterprise integration.
Core Components
graph TD
A[Web Interface] --> B[Laravel Application]
B --> C[Certificate Authority Management]
B --> D[Certificate Lifecycle]
B --> E[Protocol Services]
B --> F[Integration Services]
C --> G[Root CA]
C --> H[Intermediate CAs]
C --> I[Certificate Profiles]
D --> J[Certificate Generation]
D --> K[Auto-Renewal]
D --> L[Revocation Management]
E --> M[OCSP Responder]
E --> N[SCEP Server]
E --> O[EST Server]
E --> P[ACME Server]
F --> Q[Entra ID Integration]
F --> R[External Database]
F --> S[Notification System]
Protocol Support Matrix
| Protocol | Purpose | RFC Standard | Status | Microsoft Compatibility |
|---|---|---|---|---|
| OCSP | Certificate Validation | RFC 6960 | ✅ Complete | Full |
| SCEP | Device Enrollment | RFC 8894 | ✅ Complete | Intune Compatible |
| EST | Enterprise Enrollment | RFC 7030 | ✅ Complete | Full |
| ACME | Automated Enrollment | RFC 8555 | ✅ Complete | N/A |
Security Architecture
graph LR
A[Client Request] --> B[Load Balancer]
B --> C[Web Application Firewall]
C --> D[Authentication Layer]
D --> E[Authorization Engine]
E --> F[PKI Services]
F --> G[HSM/Cryptographic Storage]
D --> H[Entra ID]
D --> I[Local Authentication]
E --> J[Role-Based Access Control]
E --> K[API Key Management]
Deployment Architecture
Multi-Instance Docker Setup
The system supports horizontal scaling with multiple application instances:
version: '3.8'
services:
app-1:
image: pkiaas:latest
environment:
- INSTANCE_ID=instance-1
- APP_REPLICAS=3
ports:
- "8080:80"
- "8443:443"
app-2:
image: pkiaas:latest
environment:
- INSTANCE_ID=instance-2
- APP_REPLICAS=3
ports:
- "8081:80"
- "8444:443"
proxy:
image: nginx:alpine
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
Database Architecture
External MariaDB (Recommended for Production)
graph TB
A[Application Instances] --> B[Load Balancer]
B --> C[Galera Cluster Node 1]
B --> D[Galera Cluster Node 2]
B --> E[Galera Cluster Node 3]
C <--> D
D <--> E
E <--> C
Configuration:
DB_HOST=galera-cluster.domain.com
DB_CONNECTION=mysql
DB_DATABASE=pkiaas
Local MariaDB (Development)
For development environments, a local MariaDB container is provided:
db:
image: mariadb:11
environment:
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
MYSQL_DATABASE: ${DB_DATABASE}
ports:
- "${DB_EXTERNAL_PORT:-3307}:3306"
Resource Management
Docker Resource Limits
services:
app:
deploy:
resources:
limits:
memory: 1G
cpus: '2.0'
reservations:
memory: 512M
cpus: '1.0'
redis:
deploy:
resources:
limits:
memory: 256M
cpus: '0.5'
nginx:
deploy:
resources:
limits:
memory: 128M
cpus: '0.5'
Service Architecture
Core Services
CryptoService
Purpose: Core cryptographic operations Responsibilities: - Certificate generation and signing - CRL generation and management - Key pair generation - Cryptographic validation
OcspService
Purpose: Online Certificate Status Protocol responder Features: - Real-time certificate status checking - ASN.1 DER encoding/decoding - Nonce support for replay protection - Multiple hash algorithm support
ScepService
Purpose: Simple Certificate Enrollment Protocol Features: - Microsoft Intune compatibility - PKCS#7 message handling - Challenge password authentication - Certificate renewal support
EstService
Purpose: Enrollment over Secure Transport Features: - TLS client certificate authentication - Enterprise enrollment workflows - RESTful API design - Certificate attribute support
AutoRenewalService
Purpose: Automated certificate lifecycle management Features: - Eligibility assessment - Batch processing - Notification system - Failure handling and retry logic
EntraIdService
Purpose: Microsoft Entra ID integration Features: - User synchronization - Group-based role mapping - Certificate provisioning - JWT token validation
API Architecture
RESTful API Design
/api/v1/
├── certificates/ # Certificate management
├── certificate-authorities/ # CA management
├── ocsp/ # OCSP responder
├── scep/ # SCEP enrollment
├── est/ # EST enrollment
├── acme/ # ACME protocol
├── auto-renewal/ # Auto-renewal management
└── entra-id/ # Entra ID integration
Authentication Methods
- API Keys (Sanctum)
- Stateless authentication
- Rate limiting support
-
Scope-based permissions
-
Entra ID Bearer Tokens
- JWT validation
- Microsoft Graph integration
-
Group-based authorization
-
Certificate-based Authentication
- mTLS for EST protocol
- Certificate binding
- Hardware token support
Data Architecture
Database Schema
erDiagram
certificate_authorities ||--o{ certificates : issues
certificates ||--o{ certificate_revocations : revoked
certificates }o--|| users : owner
users }o--o{ user_client_contexts : contexts
certificate_authorities {
id bigint
type enum
common_name varchar
private_key text
certificate text
is_active boolean
parent_ca_id bigint
valid_from timestamp
valid_to timestamp
}
certificates {
id bigint
ca_id bigint
type enum
serial_number varchar
common_name varchar
private_key text
certificate text
status enum
valid_from timestamp
valid_to timestamp
auto_renewal_enabled boolean
entra_user_id bigint
}
users {
id bigint
name varchar
email varchar
entra_id varchar
entra_upn varchar
is_active boolean
entra_last_sync timestamp
}
Performance Optimization
Database Indexes: - Certificate status and expiration queries - OCSP serial number lookups - Entra ID user mapping - Auto-renewal eligibility checks
Caching Strategy: - Redis for session management - Certificate chain caching - OCSP response caching - Entra ID token caching
Security Architecture
Cryptographic Standards
Supported Algorithms
Asymmetric Encryption: - RSA: 2048, 3072, 4096 bits - ECDSA: P-256, P-384, P-521 curves (future)
Hash Algorithms: - SHA-256 (default) - SHA-384 - SHA-512
Symmetric Encryption: - AES-256-CBC (private key encryption) - AES-256-GCM (data encryption)
Key Management
graph TD
A[Key Generation] --> B[Secure Storage]
B --> C[Usage Control]
C --> D[Rotation]
D --> E[Archive]
E --> F[Destruction]
B --> G[Database Encryption]
B --> H[HSM Integration]
B --> I[Backup Encryption]
Access Control
Role-Based Access Control (RBAC)
roles:
pki-admin:
permissions:
- create-ca
- manage-certificates
- view-all-certificates
- revoke-certificates
certificate-manager:
permissions:
- create-certificates
- view-own-certificates
- renew-certificates
operator:
permissions:
- view-certificates
- download-certificates
user:
permissions:
- request-certificates
- view-own-certificates
API Security
Rate Limiting: - 100 requests/minute for OCSP - 60 requests/minute for SCEP - 10 certificates/hour per IP - 50 certificates/day per user
Input Validation: - CSR format validation - Subject DN validation - Extension validation - Size limits on all inputs
Monitoring and Observability
Health Monitoring
Service Health Checks
// Health check endpoints
/api/v1/ocsp/health // OCSP service status
/api/v1/scep/health // SCEP service status
/api/v1/est/health // EST service status
/api/v1/auto-renewal/health // Auto-renewal status
/api/v1/entra-id/health // Entra ID integration
System Metrics
- Certificate issuance rates
- Protocol usage statistics
- Error rates and response times
- Database performance metrics
- Cache hit ratios
Logging Architecture
Structured Logging
{
"timestamp": "2024-01-15T10:30:00Z",
"level": "info",
"service": "ocsp",
"event": "certificate_status_request",
"serial_number": "1234567890",
"status": "good",
"response_time_ms": 45,
"client_ip": "192.168.1.100"
}
Log Categories
- Security Events
- Authentication attempts
- Authorization failures
- Certificate operations
-
System configuration changes
-
Operational Events
- Service health status
- Performance metrics
- Error conditions
-
Maintenance activities
-
Audit Events
- Certificate lifecycle events
- Administrative actions
- Compliance-related activities
- Data access logs
Scalability and Performance
Horizontal Scaling
Load Balancing Strategy
upstream pkiaas_backend {
server app-1:80 weight=1;
server app-2:80 weight=1;
server app-3:80 weight=1;
}
server {
listen 80;
location / {
proxy_pass http://pkiaas_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
Session Management
- Redis-based session storage
- Stateless API design
- Session affinity for web interface
- Distributed caching
Performance Optimization
Database Optimization
-- Certificate lookup optimization
CREATE INDEX idx_certificates_serial ON certificates(serial_number);
CREATE INDEX idx_certificates_status ON certificates(status);
CREATE INDEX idx_certificates_expiry ON certificates(valid_to);
-- OCSP performance
CREATE INDEX idx_revocations_serial ON certificate_revocations(serial_number);
-- Auto-renewal performance
CREATE INDEX idx_auto_renewal_eligible ON certificates(auto_renewal_enabled, valid_to);
Caching Strategy
- Certificate chains: 1 hour TTL
- CRL responses: 30 minutes TTL
- OCSP responses: 5 minutes TTL
- User sessions: 2 hours TTL
Disaster Recovery
Backup Strategy
Database Backups
# Daily full backup
mysqldump pkiaas > backup_$(date +%Y%m%d).sql
# Hourly incremental backups
mysqlbinlog --start-datetime="$(date -d '1 hour ago')" \
/var/log/mysql/mysql-bin.log > incremental_$(date +%Y%m%d_%H).sql
Key Material Backup
- Encrypted CA private keys
- Certificate database
- Configuration files
- Log archives
Recovery Procedures
- Service Recovery
- Container restart procedures
- Database restoration
- Configuration restoration
-
Certificate validation
-
CA Recovery
- Root CA restoration
- Intermediate CA recovery
- Certificate reissuance
- CRL regeneration
Integration Patterns
Microsoft Enterprise Integration
Entra ID Authentication Flow
sequenceDiagram
participant Client
participant PKIaaS
participant EntraID
participant MicrosoftGraph
Client->>PKIaaS: Request with Bearer Token
PKIaaS->>EntraID: Validate JWT Token
EntraID-->>PKIaaS: Token Valid
PKIaaS->>MicrosoftGraph: Get User Info
MicrosoftGraph-->>PKIaaS: User Details
PKIaaS->>PKIaaS: Sync User & Roles
PKIaaS-->>Client: Authenticated Response
Device Enrollment (SCEP)
sequenceDiagram
participant Device
participant Intune
participant PKIaaS
Device->>Intune: Request Certificate Profile
Intune->>PKIaaS: SCEP GetCACert
PKIaaS-->>Intune: CA Certificate
Device->>PKIaaS: SCEP PKIOperation (CSR)
PKIaaS->>PKIaaS: Validate & Issue Certificate
PKIaaS-->>Device: PKCS#7 Response with Certificate
This architecture provides a robust, scalable, and secure foundation for enterprise PKI services with comprehensive protocol support and Microsoft integration capabilities.
Vous n'avez pas envie de la manager ?
Découvrir notre offre PKI As A Service