There is one aspect of the IT technology we work with that consistently sparks curiosity when I discuss it with friends and acquaintances in the IT sector. It is often perceived as something esoteric and mysterious. To some extent, this perception applies to the field itself. Even its acronym — PKI — tends to evoke images of secret societies and initiation rituals. Interestingly, this analogy is not entirely inappropriate, because at the very foundation of every Public Key Infrastructure lies a process that is both highly ritualized and critically important: the Key Ceremony.
What is a PKI
If you look up the definition of Public Key Infrastructure, you will typically find something along these lines: “Public Key Infrastructure (PKI) is a set of roles, policies, hardware, software, and procedures needed to create, store, distribute, use, and manage cryptographic key pairs and related digital certificates for the purposes of encrypting and signing data.”
While accurate, this definition does not fully capture what makes a PKI distinctive. A PKI is not merely an IT infrastructure; it is a combination of technology, governance, and business processes that enables trusted third parties to reliably verify and vouch for digital identities.
Why processes matter more than components
In practice, the organizational and procedural aspects of a PKI are often underestimated. This typically happens during the early stages of a project, when customers compare different solutions and focus primarily on component specifications, performance metrics, and product datasheets.
However, the first item on the shopping list for a successful PKI project should be neither hardware nor software, but a process, one that is rarely discussed outside specialist circles: the Key Ceremony.
What is a Key Ceremony
The Key Ceremony is the formal procedure during which a unique pair of cryptographic public and private keys is generated and associated with the Root Certification Authority (Root CA). These keys are subsequently used to sign certificates for subordinate Certification Authorities or, in some architectures, directly for end entities.
The keys are generated and protected within a specialized device known as a Hardware Security Module (HSM), which represents the innermost layer of security. HSMs are specifically designed to resist physical tampering: any attempt to open, damage, or interfere with the device results in the immediate destruction of the cryptographic material it contains.
Depending on the required security level, access to the HSM may involve multiple layers of physical protection, such as underground facilities, biometric controls, and segregated secure cages. In addition, to guarantee business continuity, cryptographic keys and their backups are typically stored in geographically separated secure facilities, often hundreds or thousands of kilometers apart.
Encrypted backups of the key pairs are retained by the organization in secure safes at each site. These backups can be used to initialize a new HSM and restore the root keys in the event of hardware failure or a catastrophic incident.
Seeding the Root of Trust
Key ceremonies are not standardized events; they must be tailored to the organization and to the value of the assets protected by the encryption and signing keys. In scenarios requiring the highest level of assurance, ceremonies are conducted in secure rooms under continuous video surveillance, with witnesses present and, in some cases, notaries.
Importantly, the term Key Ceremony does not refer solely to the generation of the root key pair. It also includes the initialization of the HSM and the creation of recovery credentials. These recovery keys are usually split and distributed among designated security officers and can only be used when a predefined quorum is met.
This makes it clear that the true Root of Trust in a PKI is established even before the first cryptographic key is generated. Trust is rooted in the rigor, transparency, and accountability of the Key Ceremony itself.
A carefully scripted operation
A Key Ceremony is a complex and meticulously planned operation. Nothing is left to chance; every step is governed by a formally documented script. The goal is not only to generate cryptographically strong keys, but also to ensure that no unauthorized copies can be created and that every action is traceable and auditable.
A typical Key Ceremony includes the following elements:
- clear identification and documentation of all individuals responsible for key management and backups, including their roles and responsibilities
- verification of the authenticity and integrity of all hardware and software before use
- application of tamper-evident seals to secure devices and the use of tamper-evident containers for sensitive backup materials
- full visibility of the ceremony, with secure system displays mirrored on large screens and recorded to capture every interaction
- secure archiving of video recordings for audit purposes or potential investigations
From mystery to real-world practice
Once the concept of the Key Ceremony is understood, it becomes clear that it is far from a theoretical or symbolic exercise. It is a real, operational process that underpins some of the most critical trust infrastructures on the Internet.
About keys, you may have come across articles on the web with titles such as “The Seven People Who Hold the Keys to the Internet”, or even “The Seven Templars of the Web”, “The Seven Guardians of the Net”.
For those who stopped at the titles without reading the content, these phrases evoke more or less secret rituals and procedures. In reality, what these articles are talking about has nothing to do with secrecy, but rather concerns each and every one of us, much more than we might think.
The seven keys to the web do indeed exist. But if you are imagining golden keys that open treasure chests or secret passages, I would say you are way off track. When we talk about the keys to the web, we are referring to cryptographic keys, which are used to secure the functioning of the Internet.
For anyone wishing to explore the subject in more depth, further reading is available from the following authoritative sources:
From Key Ceremony to PKI as a Service
This same approach is also at the core of our PKI as a Service (PKIaaS) offering. Every PKIaaS engagement begins not with the deployment of software or infrastructure, but with the design and execution of a properly governed Key Ceremony.
By starting from a formal and auditable Key Ceremony, in Namirial we ensure that the Root of Trust of each customer’s PKI is established according to best practices and aligned with the specific security, compliance, and business requirements of the organization. This includes defining roles and responsibilities, selecting the appropriate security controls, and implementing key management procedures that remain enforceable throughout the entire lifecycle of the service.
In this model, PKIaaS is not simply an outsourced technical platform, but a managed trust service. The robustness of the cryptography, the security of the HSMs, and the availability of the infrastructure all depend on a foundational process that is carefully designed, documented, and executed from day one: the Key Ceremony.
