PGB-PKI: A Module-Internal Decentralized PKI for Modular Automation

Field-level certificate management in industrial automation remains dominated by centralized and largely protocol-specific trust architectures. This conflicts with modular and flexible production systems, where heterogeneous devices inside a Production Gray Box (PGB) may require certificate-based lifecycle operations without direct access to an operator-side public key infrastructure (PKI). This paper presents a Chord-based overlay for protocol-agnostic certificate management that embeds a decentralized PKI into the PGB through threshold operations and a separate admission trust anchor for post-lock device admission. It defines a modular-automation-specific lifecycle covering bootstrapping, distributed key generation, local device identifier issuance, locking, and additional device admission. A prototype provides qualitative evidence that these steps can be executed inside a PGB without depending on operator-side PKI.