#KEYMASTER: Scaling PKI: Lessons from the Field

In this #KEYMASTER episode, Product Architect Mike Agrenius Kushner joins Sven Rajala to unpack a critical topic: how to effectively design and scale a Public Key Infrastructure (PKI) system.

Drawing from over 15 years of hands-on PKI experience, Mike shares practical insights into architecture decisions, performance bottlenecks, and how modern technologies are reshaping the space.

Watch video on YouTube

Designing for Scale: Where to Start

When building a PKI system from scratch, the first question isn’t technical—it’s strategic. What matters more: throughput, volume, or both?

This decision directly influences your scaling approach:

• Vertical scaling: Increasing resources (CPU, memory) on a single machine.
• Horizontal scaling: Distributing workloads across multiple nodes or instances.

Each approach has trade-offs. Vertical scaling is simpler but limited by hardware ceilings, while horizontal scaling offers flexibility and resilience—but adds complexity.

Common Bottlenecks in PKI Systems

As systems grow, performance constraints inevitably surface. Mike highlights three key bottlenecks:

1. HSM (Hardware Security Module) limitations
   If your HSM cannot sign certificates fast enough, it becomes a hard cap on throughput.
2. Database performance
   PKI systems generate heavy and sensitive workloads. Databases must handle high write/read volumes without compromising integrity.
3. Network infrastructure (often overlooked)
   In one real-world case, a customer’s bottleneck wasn’t software—it was a network switch. Upgrading it unlocked their full system capacity.

How PKI Scaling Has Evolved

Over the past 15 years, PKI architecture has undergone a major transformation:

• From isolated hardware → cloud environments
  Early PKI deployments relied on dedicated physical servers. Today, cloud infrastructure enables elastic scaling and better resource utilization.
• Rise of containerization and orchestration
  Tools like Kubernetes allow systems to scale horizontally with ease, distributing workloads dynamically across clusters.
• Shift in HSM usage
  Traditional PCI-based HSM cards are increasingly replaced by network-attached HSMs, enabling more flexible and scalable deployments.

The Role of Modern Software Improvements

Not all gains come from infrastructure. Software evolution plays a role too:

• Updates in Java, particularly in newer versions like JDK 21, have significantly improved garbage collection performance.
• These optimizations reduce latency and improve overall system efficiency—especially important in high-throughput PKI environments.

Scaling with Kubernetes: Infrastructure Over Code

Interestingly, most scalability improvements don’t require rewriting PKI logic itself.

Instead, tools like Kubernetes enable scaling at the infrastructure level:

• Deploying via Helm charts
• Managing distributed workloads
• Automating failover and load balancing

This means teams can scale systems without deeply modifying core PKI codebases.

Key Takeaways

• Start with priorities: Define whether throughput, volume, or both matter most.
• Choose the right scaling model: Vertical for simplicity, horizontal for flexibility and growth.
• Watch for bottlenecks:
  • HSM performance
  • Database load
  • Network infrastructure
• Leverage modern tools: Cloud platforms and Kubernetes dramatically simplify scaling.
• Don’t ignore software improvements: Runtime optimizations (like in Java) can yield significant gains.
• Infrastructure matters as much as code: Many scaling wins come from deployment strategy, not application changes.

Designing a scalable PKI isn’t just about cryptography—it’s about systems thinking. With the right architecture and tools, even the most demanding PKI workloads can scale efficiently and reliably.

Learn more

• Solution area: Use EJBCA as a Large-scale Enterprise PKI