PKI at Scale Using Short-Lived Certificates - USENIX Enigma 2016

Explore the challenges and solutions of deploying Public Key Infrastructure (PKI) at scale for cloud applications in this 21-minute conference talk from USENIX Enigma 2016. Dive into the world of PKI deployments, focusing on protecting internally facing microservices using TLS with mutual authentication. Learn about the pros and cons of using short-lived certificates, operational challenges in scaling certificate authority services, handling certificate reloading at runtime, and determining instance trustworthiness for credential renewal. Gain insights into high-profile attacks, revocation methods, OCSP challenges, and the "Penny Analogy" for understanding short-lived certificates. Discover how chaos engineering and AWS keys play a role in PKI management at scale.

Intro
High profile attacks
PKI at scale
What do people do today
Revocation
OCSP
OCSP Challenges
OCSP Staple
The Problem
Penny Analogy
Shortlived Certificates
Chaos
AWS Keys