2025-10-07 –, Belvedere I/ Security, Compliance & the Law
This talk presents a scalable framework for deploying an enterprise Private Certificate Authority (CA) using OpenSSL and cloud-based HSMs. We explore a solution that centralizes certificate lifecycle management—including issuance, monitoring, and automated expiry alerts—while enforcing security through offline key generation with OpenSSL (RSA-2048) and hardware-grade protection via AWS CloudHSM. The design eliminates direct key exposure by leveraging FIPS 140-2 Level 3-validated HSMs and enables self-service workflows with minimal manual intervention. Attendees will learn practical strategies for balancing security, automation, and usability in PKI deployments.
This session delves into the architecture and implementation of a private PKI service designed for cloud environments. We address critical requirements:
- Secure Root Key Management
- Offline generation of RSA-2048 keys using OpenSSL, ensuring air-gapped security.
- Integration with AWS CloudHSM for FIPS 140-2 Level 3-compliant key storage, enabling secure cryptographic operations without direct key access.
- Design trade-offs allowing key portability across HSM services.
- Automated Certificate Lifecycle
- Self-service interface simplifying certificate requests to minimal inputs.
- Workflow automation for issuance, renewal, and revocation, reducing manual overhead.
- Built-in observability for certificate health and proactive expiry notifications.
- Security and Governance
- Enforced manager approval for CA creation, maintaining organizational control.
- Zero Trust principles applied to certificate trust chains, aligning with NIST frameworks.
- VPC-level isolation for CA components using cloud-native controls.
- Operational Insights
- Lessons from transitioning from traditional HSMs to cloud-native solutions.
- Metrics-driven communication strategies for executive stakeholders.
- Attendees will gain actionable insights into building auditable, enterprise-ready PKI systems using OpenSSL and modern cloud security tools.
My name is Ranjan Kathuria, and I am currently a Staff Cloud Security Engineer / Cloud Security Architect at Rubrik, a recognized leader in Data Backup and Data Security. Based in San Francisco, I lead Rubrik’s cloud security program, drawing on nearly a decade of experience in the information security field. I have served as a founding security engineer twice, building security programs from the ground up, and I am passionate about advancing the industry through both hands-on engineering and research. My achievements include being ranked as the #1 security researcher for Hubspot and Quora’s Bug Bounty programs, and I am the inventor on a pending patent for efficient vulnerability analysis over backups – https://patents.google.com/patent/US20230376605A1/en
I also have had past experience in presenting my work with AWS some years back – https://www.youtube.com/watch?v=Bd4pTqAuvBQ