<p style="text-align: justify;">The subject of this thesis is the efficient deployment of Public Key Infrastructures (PKI), more specically, a way to securely and automatically provide and deploy X.509 certicates, using web services as a mean of communication between the Certicate Authority and end-entities. This is highly relevant since more and more organizations are using PKI services in order to, for example, securely communicate through insecure channels like the Internet, digital signing operations or to provide non-repudiation properties to protocols and information systems.</p><p style="text-align: justify;">Although PKI technologies have become pervasive among most institutions, there are still very few well known protocols that support automatic certicate provisioning; the Simple Certicate Enrollment Protocol (SCEP) and the Automatic Certicate Management Environment (ACME). However SCEP suffers from some security flaws and ACME is highly focused on a single PKI application domain.</p><p style="text-align: justify;">We have examined the problem to try to understand if it is possible to more generally deploy such an automatic service and to what extent these generalizations can be considered secure. The thesis begins with a constructive research to analyze existing solutions, and from the research made, we devise and implement a fully working solution that we think satises our initial goals.</p><p style="text-align: justify;">In this thesis we present and describe a fully implementation of an architecture to deploy such a service. Our system relies on the delivery of security elements, like cryptographic tokens or smartcards containing an administrative certicate, to the PKI end-entities, as a security anchor.</p><p style="text-align: justify;">We have also developed a framework architecture for PKI backoce services, a data model for end-entity interactions with the backoce PKI services and a secure Remote Procedure Call based API for end-entity client software to use for the automatic provisioning of X.509 certicates, and other usual PKI operations.</p><p style="text-align: justify;">&nbsp;</p>