PKI at Scale Using Short­-lived Certificates

Monday, January 25, 2016 - 3:30pm4:00pm

Bryan Payne, Netflix


While TLS is considered a “best practice” for security, deploying the underlying PKI at scale for cloud applications presents many challenges. This starts with the need to securely bootstrap secrets into each instance. The challenges continue at runtime with the need for insight into the continued trustworthiness of each instance. Unfortunately, in practice, it can be difficult to deploy and maintain such a PKI. In an effort to solve both scale and management challenges, some advocate for the use of short-­lived certificates in lieu of revocation lists. The idea is that a compromised private key is less valuable because it will only work for a limited timespan. But what is really required to deploy such a system?

This talk will take a deep dive into the world of PKI deployments at scale. We will start with a brief overview of PKIs in general before drilling into the specific use case of protecting internally facing microservices using TLS with mutual authentication. From here we will explore the pros and cons of using short-­lived certificates. Then we will look at the operational challenges around such deployments, including scaling certificate authority services, handling reloading of certificates into services at run­time, and determining if an instance is trustworthy enough to receive renewed credentials. We will close with some parting thoughts about the remaining challenges in this space.

Bryan Payne, Netflix

Dr. Bryan D. Payne has dedicated his career to the complex field of computer security. He currently leads the Platform Security team at Netflix, which focuses on building a secure foundation to support strategic security needs for the Netflix streaming service. Prior to Netflix, he worked on both offensive and defensive security projects for government, academia, and industry. As a result, Dr. Payne brings a unique perspective to modern security issues. He created the LibVMI open source project and was a co­founder of the OpenStack Security Group. His current interests include security at scale and cryptographic engineering.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@conference {206256,
author = {Bryan Payne},
title = {{PKI} at Scale Using {Short--lived} Certificates},
year = {2016},
address = {San Francisco, CA},
publisher = {USENIX Association},
month = jan,

Presentation Video