Overview

On April 2, 2025, DigiCert and X9 publicly announced an agreement to release the X9 Financial PKI.  This is the first PKI build just for the financial industry.  It is designed to meet the unique need for control, security, and interoperability for banks, ATMS, and financial service providers.  You can view the webinar at the link below.  At the end of the webinar, a question and answer session was held.  The questions and answer are provided below. 

DigiCert and X9 PKI Announcement Webinar:
https://digicert.ondemand.goldcast.io/on-demand/a98be869-d3fc-41b7-99e6-dd2d1dc9ea58

Questions and Answers from the Webinar:

• What is the X9 PKI, and why is it important for financial institutions?

The X9 public key infrastructure (PKI) is a dedicated security framework designed specifically for financial institutions. Unlike the traditional web PKI, which was built to serve browser needs, the X9 PKI provides independent, stable, and secure digital certificate management. This ensures seamless interoperability between banks, ATMs, and other financial entities while reducing the risk of unexpected security disruptions.

•  How does the X9 PKI differ from browser-based PKI?

Traditional web PKI certificates are primarily designed for web security, meaning financial institutions have had to adapt their systems to changes dictated by browser vendors. This approach led to major issues, such as the SHA-1 to SHA-2 migration, where financial systems struggled to maintain interoperability. The X9 PKI is built specifically for financial services, providing a dedicated, industry-driven root certificate controlled by financial institutions—not third parties.

• What are the key benefits for using the X9 PKI for financial services?
  1. The X9 PKI offers several advantages for banks, ATMs, and financial service providers:
  2. Independence from the web PKI: No reliance on browser-based certificate policies that could disrupt operations.
  3. Secure interoperability: A common root certificate enables secure communication across financial institutions.
  4. Scalability and flexibility: Financial organizations can integrate existing PKI systems with the X9 root through cross-certification.
  5. Future-proofing security: Ensures financial institutions can manage security transitions on their own terms, avoiding last-minute disruptions.

• What problem does the X9 PKI solve for banks and ATMs?

Many financial institutions still rely on older PKI models tied to browsers, making them vulnerable to unexpected policy changes. A key example is the SHA-1 to SHA-2 transition, which caused massive interoperability issues for ATMs and banking infrastructure. The X9 PKI eliminates this risk by providing a stable, dedicated root certificate designed for financial security—ensuring that banks and ATMs can communicate securely without external dependencies.

• Is the X9 PKI only for U.S. financial institutions?

While ASC X9 is a U.S.-based standards organization, the X9 PKI is designed for global adoption. Financial institutions worldwide can cross-certify with the X9 root, ensuring secure and interoperable communication across borders.

• How can financial institutions adopt the X9 PKI?

Banks, ATMs, and financial service providers can integrate the X9 PKI by working with DigiCert and its partners. The infrastructure allows for cross-certification, so organizations with existing PKI systems can seamlessly transition without disrupting current operations.

• What impact will the X9 PKI have on financial cybersecurity?

By providing a dedicated, scalable, and secure PKI infrastructure, the X9 PKI helps financial institutions:
i) Reduce cybersecurity risks by eliminating reliance on external browser-based certificate policies.
ii) Ensure long-term stability with a trusted industry-backed root certificate.
iii) Enhance compliance with evolving financial security regulations.

• What type of validation would be required?

The validation depends on the use case. These will be documented in the CP.

• Can anyone get a certificate?

“Anyone” is pretty broad. There are restrictions for certain countries but in general, the X9 PKI will be available globally.

• Does this CA have a “Relying Party” clause?

All are described in the CP.

• Is this service different than any commercial product by DigiCert?

This is a private PKI specifically built for the X9 requirements.

• Is treasury offering a level of liability and support for this CA?

Treasury could be a potential user of this PKI.

• Are user certificates one of the use cases of the X9 PKI?

Yes they are. A complete use case document will be available after this webinar.

• Will the X9 Issuing CAs be regularly audited by a 3rd party auditor?

Yes, a WebTrust audit is required.

• Is the CP of the X9 PKI publicly available?

Yes it will be after this webinar.

• Is x9 replacing PKI 8?

PKI 8 is a DigiCert product. X9 is an industry standard. Totally different.

• Is x9 part of DigiCert One?

That product will be used to implement this PKI.

• What types of audits are required?

WebTrust.

• The large banks tend to be very good at security and small banks, VERY bad. How do we get protection from these bad banks?

A uniform registration authority will be used to determine qualifications for obtaining certificates.

• Can I still manage my own missing Cas you the x9 root?

Privately managed PKIs can be cross certified with the X9 PKI.

• How does X9 address Google’s proposal of shortening cert validity dates to 90 days?

That’s a different use case, not addressed by X9.

• How will X9 protect from CAB requirements?

The use cases are different. The CA/B Forum requirements apply to website TLS certificates. Most of the X9 use cases are for other purposes.

• Is Fed Bridge PKI still operating? Can we learn any lessons from it?

Yes, and that was examined as part of the study group over the past 4 years.

• Will test certificates also be available in PQC flavor?

Yes, that is the plan.