Modernizing PKI for Zero Trust and Microservices: Insights from Rakesh Keshava

In the ever-evolving digital landscape, the foundation of secure communication and trusted identity; Public Key Infrastructure (PKI) is being pushed to its limits. As systems become increasingly decentralized, workloads more ephemeral, and attack surfaces more dynamic, legacy PKI models are proving inadequate for the realities of zero trust architectures and service-based computing.

Mr. Rakesh Keshava is a Software Architect in the field Cybersecurity with over 17 years of industry experience, is a Fellow of the Institution of Electronics and Telecommunication Engineers (IETE), Full member of Sigma Xi, a Senior Member of IEEE, an IEEE Day 2025 Ambassador, and currently serves as Chair of the ACM Fremont Chapter, which fosters collaboration and knowledge sharing among professionals, researchers, and students in the Bay Area. He is the named inventor on multiple U.S. patents in the areas of cryptography, identity-centric security, and automated key lifecycle management, with his work cited extensively by leading global technology firms. His professional journey reflects a strong balance of research excellence and practical industry impact across enterprise security, cloud systems, and AI-driven security solutions.

He believes the future of digital trust lies in modernizing Public Key Infrastructure (PKI) to align with the velocity, granularity, and dynamic risk profiles of today’s systems. He advocates that PKI must evolve to become agile, automated, and context-aware, capable of supporting hybrid cloud, zero-trust architectures, and distributed digital ecosystems. Rakesh emphasizes that PKI should not only protect static assets but also dynamically secure ephemeral identities, workloads, and agent-to-agent communication across modern environments. His vision places PKI at the center of digital trust, ensuring it matches the complexity and pace of the systems it is meant to secure.

The Breaking Point of Traditional PKI

“Traditional PKI was never designed to operate in a world where workloads are created, scaled, and destroyed in minutes,” says Mr. Rakesh. “The old approach of issuing long-lived certificates manually and storing them in static locations simply cannot support today's infrastructure.”

A clear sign of this shift is the reduced certificate validity enforced by major browser vendors. Public TLS certificates, once valid for up to five years, are now capped at 398 days, with growing pressure to go shorter. This trend reflects a broader industry realization: short-lived credentials reduce the risk of compromise and make automated rotation a necessity.

For internal PKI, the shift is even more dramatic. Organizations are experimenting with certificates that expire in 24 hours or even less. This approach strengthens security posture but creates an operational challenge: legacy PKI systems can't handle the volume or velocity of issuance and renewal at this scale.

Zero Trust Starts with Identity and PKI Delivers It

Zero trust, as a model, demands continuous verification of identity; regardless of location, network, or assumed privilege. That means every user, device, application, and service must prove its authenticity at every point of interaction.

“PKI is the engine behind that proof,” Mr. Rakesh explains. “It enables secure, cryptographically verifiable identity for both human and machine actors. But only if it's designed to work dynamically.”

In a zero-trust context, trust isn't established by being “inside the firewall” or on a certain subnet. It's established by cryptographically asserting identity and that’s precisely what a certificate does, when issued based on real-time policy and usage context.

What Defines a Modern PKI

Mr. Rakesh outlines several characteristics that differentiate modern PKI from its legacy counterparts:

• Ephemeral by design: Certificates must have short validity ranging from a few hours to a day requiring regular rotation. This reduces exposure and enforces re-verification.
• Policy-driven automation: Issuance, renewal, and revocation processes should be fully automated and controlled by business and security policies, not manual intervention or static configuration.
• Identity-bound credentials: Certificates should not rely on network metadata like IPs or DNS names. Instead, they should be bound to trusted identity claims such as workload roles, verified service accounts, or authenticated users.
• Observability and auditability: Certificate activity must be logged, monitored, and auditable in real time especially for high-sensitivity systems.
• Cross-domain scalability: PKI should seamlessly support distributed workloads, across multiple data centers, cloud environments, and regions without single points of failure.
• Cryptographic agility: The infrastructure must support future-proof cryptography including a transition path to post-quantum algorithms without needing full redesigns.

Where Modern PKI Adds Value

Beyond public web services, modern PKI is now a strategic asset in securing internal systems. Its use cases include:

• Secure communication between services over encrypted channels with mutual certificate validation.
• Validating internal API calls using signed certificates rather than static tokens.
• Ensuring authenticity of software releases and internal configuration files.
• Establishing encrypted tunnels between regions or isolated environments.
• Issuing certificates to developers or administrators for privileged access automated and role-aware.

“In all these cases,” Mr. Rakesh notes, “certificates serve as digital passports that can prove, securely and independently, who or what a system is. But for that to work reliably, the issuance and trust process must be fast, contextual, and revocable.”

Why Short-Lived Certificates Should Be the Default

One of Mr. Rakesh’s strongest recommendations is to adopt short-lived certificates across internal systems. Instead of rotating secrets manually or relying on long-term trust, short-term credentials force re-validation, enforce hygiene, and support dynamic scaling.

“If a certificate only lasts 12 hours, you don’t need to worry about revocation lists or expired keys hanging around for months,” he says. “Short-lived certs reset the trust boundary continually and that aligns with the realities of modern operations.”

He advises starting with 7 day lifespans and gradually moving toward daily or even hourly expirations, combined with policy-based auto-renewal and enforcement.

A visual roadmap showing PKI’s evolution from long-lived certificates to short-lived automation and fully modernized, agile trust.

The diagram above captures the strategic progression of PKI from its traditional roots to a modern, dynamic trust framework suited for today’s security landscape. On the left, we see the Classic PKI model, where certificates are long-lived, manually issued, and bound to static systems like servers or hostnames. This model assumes a stable environment and low issuance frequency which no longer hold true in distributed systems.

In the center, the Modern PKI stage introduces short-lived certificates and automated renewal, shifting trust from static assets to real-time identity verification.

This leads to the final phase, PKI Modernization, where trust decisions are fully integrated with system lifecycles, security policies, and cryptographic agility. At this stage PKI becomes context-aware, as credentials are tied to workload roles, service accounts, and authenticated identities rather than static IPs or DNS names. It is auditable and observable, with certificate activity continuously monitored in real time. It is scalable across clouds and regions, avoiding single points of failure while supporting hybrid and multi-cloud environments. It is also cryptographically agile, designed to transition seamlessly to stronger and post-quantum algorithms without disruption.

In this state, certificate management is no longer a background task but an integral part of the security fabric. It lays the foundation for Zero Trust by ensuring that every connection, request, or process can be cryptographically verified on demand.

Common Pitfalls in PKI Modernization

Despite the urgency, many organizations fall into predictable traps when attempting to modernize their PKI systems. Mr. Rakesh outlines four of the most common and how to avoid them:

• Treating PKI as a one-time deployment: Many teams install a CA and assume the job is done. But PKI is not static. It must evolve continuously policies updated, keys rotated, issuance volumes monitored, and vulnerabilities mitigated.
• Neglecting integration with system lifecycles: Certificates should be issued and revoked in tandem with the systems they secure. If a certificate outlives the system it was issued to, it becomes a risk. Integration with provisioning and decommissioning processes is critical.
• Lack of proactive revocation strategy: Revocation is often misunderstood or delayed. Without automation and proper observability, expired or misused certificates may go undetected especially in internal environments.
• Hard-coding cryptographic algorithms: Building systems around fixed primitives like RSA-2048 or SHA-1 leads to rigidity and risk. Modern PKI must support crypto-agility, allowing smooth transitions to stronger or quantum-resistant algorithms as standards evolve.

“Crypto standards don’t change often,” Mr. Rakesh says, “but when they do, the cost of inflexibility is enormous. Designing with agility from the start is the only safe path forward.”

A Practical Path to Modern PKI

Mr. Rakesh emphasizes that modernization doesn’t need to be overwhelming especially if done in phases:

1. Inventory existing certificate usage across internal systems, workflows, and APIs.
2. Shorten certificate lifespans gradually, and implement auto-renewal processes that don’t rely on manual intervention.
3. Tie issuance to identity and role-based policies, ensuring credentials are only issued to authorized actors.
4. Monitor and audit all certificate activity, including failed requests, unusual usage patterns, and renewals.
5. Plan for crypto-agility and post-quantum migration, even if just in test environments, to future-proof your infrastructure.

PKI is not just a backend utility or compliance checkbox it’s a core enabler of trust in today’s digital ecosystem. As businesses adopt zero trust, accelerate digital transformation, and secure increasingly complex systems, modernizing PKI is no longer optional, it’s foundational.

“Trust in 2025 and beyond will depend on systems that can prove who they are, what they’re allowed to do, and whether they’re doing it securely,” Mr. Rakesh concludes. “Modern PKI is how we enable that trust at scale, in real time, and with confidence in the future.”

"The views and opinions expressed in this article are solely my own and do not necessarily reflect those of any affiliated organizations or entities."