Exploring Cloud-Adaptable Architectures for Public TLS Certificate Issuance Under Established Trust Constraints

Authors

  • Naresh Charugundla

Keywords:

Public Key Infrastructure, TLS Certificate Issuance, Cloud Architecture, Hardware Security Modules, Certificate Authority Compliance, Trusted Execution Environments, Audit Integrity

Abstract

Public Transport Layer Security (TLS) certificate issuance systems form a critical component of the global internet trust ecosystem, enabling encrypted and authenticated communication for web services, cloud platforms, and distributed applications at internet scale. These systems operate within a well-defined compliance framework anchored by RFC 5280 and the CA/Browser Forum Baseline Requirements, which establish outcome-oriented expectations around private key protection, auditability, system integrity, and separation of duties. Traditionally, operators have satisfied these expectations through tightly controlled infrastructure environments that minimize ambiguity over administrative access and operational behavior. The increasing adoption of cloud-based infrastructure raises substantive questions about whether and how equivalent assurances can be established within deployment models that differ structurally from those in which existing compliance expectations were formed. This article presents an independent, standards-informed exploration of how public TLS certificate issuance systems might evolve toward cloud-adaptable architectures while remaining aligned with established trust constraints. The analysis identifies key compliance foundations, characterizes commonly observed deployment patterns, and examines the tensions that cloud adoption introduces. Five architectural directions — cryptographic isolation via externalized hardware security modules, verifiable execution environments, append-only audit log integrity, policy-driven control planes, and layered composable trust models — are evaluated against established expectations. The findings indicate that trust in certificate issuance systems is fundamentally a function of demonstrable assurance rather than deployment environment and that cloud-adaptable architectures can potentially satisfy established expectations provided controls are explicit, verifiable, and independently validated.

Downloads

Download data is not yet available.

References

D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk, "Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile," Internet Engineering Task Force, RFC 5280, May 2008. [Online]. Available: https://www.rfc-editor.org/rfc/rfc5280.html

CA/Browser Forum, "Baseline Requirements for TLS Server Certificates." [Online]. Available: https://cabforum.org/working-groups/server/baseline-requirements/documents/

B. Laurie, A. Langley, and E. Kasper, "Certificate transparency," Internet Engineering Task Force, RFC 6962, Jun. 2013. [Online]. Available: https://www.rfc-editor.org/rfc/rfc6962.html

B. Laurie, E. Messeri, and R. Stradling, "Certificate transparency version 2.0," Internet Engineering Task Force, RFC 9162, Dec. 2021. [Online]. Available: https://www.rfc-editor.org/rfc/rfc9162.html

M. Luo, B. Feng, L. Lu, E. Kirda, and K. Ren, "On the complexity of the web's PKI: Evaluating certificate validation of mobile browsers," IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 6, pp. 4747–4762, 2023. [Online]. Available: https://ieeexplore.ieee.org/document/10066507

H. Hadan, N. Serrano, and L. J. Camp, "A holistic analysis of web-based public key infrastructure failures: comparing experts' perceptions and real-world incidents," Journal of Cybersecurity, vol. 7, no. 1, p. tyab025, 2021. [Online]. Available: https://academic.oup.com/cybersecurity/article/7/1/tyab025/6470936

A. Muñoz, R. Ríos, R. Román, and J. Lopez, "A survey on the (in)security of trusted execution environments," Computers & Security, vol. 129, p. 103180, 2023. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0167404823000901

J. Ménétrey, M. Pasin, P. Felber, and V. Schiavoni, "Attestation mechanisms for trusted execution environments demystified," in Distributed Applications and Interoperable Systems, Springer, Cham, 2022, pp. 95–113. [Online]. Available: https://link.springer.com/chapter/10.1007/978-3-031-16092-9_7

P. Phiayura and S. Teerakanok, "A comprehensive framework for migrating to zero trust architecture," IEEE Access, vol. 11, pp. 19487–19511, 2023. [Online]. Available: https://ieeexplore.ieee.org/document/10052642

N. F. Syed, S. W. Shah, A. Shaghaghi, A. Anwar, Z. Baig, and R. Doss, "Zero trust architecture (ZTA): A comprehensive survey," IEEE Access, vol. 10, pp. 57143–57179, 2022. [Online]. Available: https://ieeexplore.ieee.org/document/9773102

S. Rose, O. Borchert, S. Mitchell, and S. Connelly, "Zero trust architecture," National Institute of Standards and Technology, NIST Special Publication 800-207, Aug. 2020. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-207.pdf

Hrishikesh Joshi, "Emerging technologies driving zero trust maturity across industries," IEEE Open Journal of the Computer Society, vol. 6, pp. 25–40, 2024. [Online]. Available: https://ieeexplore.ieee.org/document/10764723

Yacine Felk, "Confidential computing," in Trends in Data Protection and Encryption Technologies, Springer, Cham, 2023, pp. 103–108. [Online]. Available: https://link.springer.com/chapter/10.1007/978-3-031-33386-6_19

M. Sommerhalder, "Trusted execution environment," in Trends in Data Protection and Encryption Technologies, Springer, Cham, 2023, pp. 97–102. [Online]. Available: https://link.springer.com/chapter/10.1007/978-3-031-33386-6_18

R. Barnes, J. Hoffman-Andrews, D. McCarney, and J. Kasten, "Automatic certificate management environment (ACME)," RFC 8555, Mar. 2019. [Online]. Available: https://www.rfc-editor.org/rfc/rfc8555.html

Downloads

Published

10.06.2026

How to Cite

Naresh Charugundla. (2026). Exploring Cloud-Adaptable Architectures for Public TLS Certificate Issuance Under Established Trust Constraints. International Journal of Intelligent Systems and Applications in Engineering, 14(1s), 1423–1433. Retrieved from https://www.ijisae.org/index.php/IJISAE/article/view/8361

Issue

Vol. 14 No. 1s (2026)

Section

Research Article

License

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

All papers should be submitted electronically. All submitted manuscripts must be original work that is not under submission at another journal or under consideration for publication in another form, such as a monograph or chapter of a book. Authors of submitted papers are obligated not to submit their paper for publication elsewhere until an editorial decision is rendered on their submission. Further, authors of accepted papers are prohibited from publishing the results in other publications that appear before the paper is published in the Journal unless they receive approval for doing so from the Editor-In-Chief.

IJISAE open access articles are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. This license lets the audience to give appropriate credit, provide a link to the license, and indicate if changes were made and if they remix, transform, or build upon the material, they must distribute contributions under the same license as the original.