EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securityPKIKMSHSM

PKI, Certificate Lifecycle & Key Management in the Cloud

How the certificate trust hierarchy works, the complete PKI lifecycle from issuance to revocation, cloud-native PKI services, and the key management practices that determine whether your encryption controls actually hold.

Ashish Revar3 July 202613 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

AWS Certificate Manager Developer Guide

Complete AWS ACM guide covering certificate issuance, auto-renewal, and integration with services.

blog
AWS Certificate Manager Developer Guide

Complete AWS ACM guide covering certificate issuance, auto-renewal, and integration with services.

blog
NIST SP 800-57: Recommendation for Key Management

The definitive NIST guidance on cryptographic key management including lifecycle, algorithms, and length.

paper
NIST SP 800-57: Recommendation for Key Management

The definitive NIST guidance on cryptographic key management including lifecycle, algorithms, and length.

paper
AWS CloudHSM Documentation

AWS CloudHSM setup, usage, and FIPS 140-2 Level 3 compliance documentation.

blog
AWS CloudHSM Documentation

AWS CloudHSM setup, usage, and FIPS 140-2 Level 3 compliance documentation.

blog
Let Encrypt — Certificate Authority Overview

How Let Encrypt issues and renews free TLS certificates using the ACME protocol.

blog
Let Encrypt — Certificate Authority Overview

How Let Encrypt issues and renews free TLS certificates using the ACME protocol.

blog
More articlesTest your knowledge

Why Key Management Is Not an Afterthought

Encryption without rigorous key management is security theatre. A perfectly encrypted volume is worthless if the encryption key is:

  • Stored in plaintext next to the data it encrypts
  • Never rotated after a team member departs
  • Backed up without encryption
  • Held by a single person with no succession plan

Cloud key management services solve these problems at scale — but only if configured correctly.

Public Key Infrastructure: The Certificate Trust Hierarchy

PKI is the system that binds cryptographic public keys to verified identities through digital certificates (X.509 standard).

The Three-Level Hierarchy

Root CA (Certificate Authority): The trust anchor. The root CA certificate is self-signed and pre-installed in operating systems and browsers. Kept offline in a hardware security module (HSM). Never directly issues end-entity certificates.

Intermediate CA: Signed by the Root CA. Issues certificates to end entities. If compromised, can be revoked without replacing the Root CA.

End-Entity Certificate: The certificate presented by your web server, your API endpoint, your email client. Signed by an Intermediate CA.

When a browser connects to https://yourcloud.app:

  1. Server presents its certificate
  2. Browser checks the certificate was signed by a known Intermediate CA
  3. Browser checks the Intermediate CA was signed by a trusted Root CA
  4. Browser verifies the certificate is not revoked (OCSP or CRL check)
  5. Browser verifies the certificate covers the hostname being visited

Core PKI Operations

OperationPurposeCloud Tool
IssueGenerate and sign a new certificateAWS ACM, Azure Key Vault, GCP Certificate Manager
RenewReplace expiring certificate with fresh oneACM auto-renewal; cert-manager for Kubernetes
RevokeInvalidate a compromised certificate before expiryCRL / OCSP; ACM revocation
ValidateVerify a certificate chain and revocation statusOCSP stapling; browser and SDK validation

Certificate expiry is one of the most common causes of outages. AWS ACM auto-renews certificates for resources it manages (ALB, CloudFront). For self-managed certificates, set calendar reminders at 90, 30, and 7 days before expiry.

Cloud-Native PKI Services

ServiceProviderUse Case
AWS Certificate Manager (ACM)AWSFree TLS for ALB, CloudFront, API Gateway; auto-renewal
AWS Private CAAWSInternal PKI for microservices, IoT, VPN clients
Azure Key Vault CertificatesAzureCertificate management integrated with Key Vault
Google Certificate Authority ServiceGCPManaged private CA for internal services

Key Management: The Key Lifecycle

Generation

Keys must be generated using a cryptographically secure random number generator (CSPRNG). Keys generated on HSM hardware never exist in plaintext outside the HSM.

Distribution

Keys are shared using secure channels:

  • Asymmetric key exchange (TLS, ECDH) for session keys
  • Envelope encryption for data keys (see previous topic)
  • Secrets Manager or Parameter Store for application keys

Rotation

Key TypeRotation Frequency
Data encryption keysAnnually or per data set
Master keys (KMS CMKs)Annually (AWS auto-rotation available)
API access keys90 days maximum
TLS certificatesBefore expiry (90-day Let Encrypt standard)
SSH key pairsWhen team composition changes

Revocation and Destruction

Keys must be securely destroyed when no longer needed. NIST SP 800-88 provides guidelines for cryptographic key destruction. On HSMs, destruction is guaranteed — the key material never left hardware.

KMS vs. HSM

FeatureAWS KMSAWS CloudHSM
Key storageManaged HSM fleetDedicated HSM hardware
Key typesSymmetric, asymmetric, HMACFull HSM capabilities
ManagementFully managedCustomer manages HSM software
ComplianceFIPS 140-2 Level 2FIPS 140-2 Level 3
CostPer-call pricing ($0.03/10,000 calls)$1.60/hour per HSM
Use caseGeneral cloud encryptionPCI-DSS, eIDAS, custom CA root key

Key Management Rules That Matter

  1. Never store keys adjacent to the data they protect
  2. Never generate keys in insecure environments (developer laptops, shared build servers)
  3. Always rotate keys after any team member with access departs
  4. Always enable KMS key rotation (auto-rotation in AWS KMS is off by default — turn it on)
  5. Always restrict KMS key policies to specific services and principals
  6. Always log all KMS operations — every key use generates a CloudTrail event

Key Takeaway

PKI and key management are the operational side of encryption. Perfect algorithms fail when keys are mismanaged. Use cloud-native KMS services, enforce rotation, restrict key policies to least privilege, and audit every key operation through CloudTrail.