Skip to main content
purple hex pattern

What is PKI?

Public key infrastructure includes the policies, roles, hardware, software, and procedures required to create, manage, distribute, use, store, and revoke digital certificates. A digital certificate works like a passport or driver’s license by proving your identity and providing certain allowances.

The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking, and confidential email. It's a system that allows users and machines to securely exchange data over the internet and verify the other party’s identity.

For example, when you log in to your online banking account, PKI encrypts the connection and ensures your sensitive information remains private and secure. That way, you can safely input your credentials and access your account with the assurance you’re not interacting with an illegitimate website.

Components of PKI

Public key infrastructure is not a single technology, but a combination of several essential parts. Together, they provide the technologies and processes to manage encryption, protect data, and secure communication at scale.

At a high level, PKI includes:

  • PKI keys: A key pair that enables encryption — a process of concealing data to prevent anyone but the intended recipient from reading it. In cryptography, each public key is paired with a private key. The public key is distributed freely and openly, while the private key is secret to the owner.
  • Digital certificates: Electronic credentials that bind the certificate holder’s identity to a key pair that can be used to encrypt and sign information. 
  • Certificate authority (CA): A trusted entity that issues digital certificates. 
  • Registration authority (RA): Responsible for accepting certificate requests and authenticating the individual or organization behind them.
  • Certificate repositories: Secure locations where certificates are stored and can be retrieved for validation.
  • Centralized management software: A dashboard where organizations can manage their cryptographic keys and digital certificates.
  • Hardware security module (HSM): Physical devices that provide a secure environment for performing cryptographic operations and storing/managing digital keys.

Many of these components are available through comprehensive PKI providers. For example, Entrust PKI is an industry-leading solution organizations use to keep people, systems, and resources securely connected. As a flexible offering, it’s available on-premises, in the cloud, and as a managed PKI service.

How does PKI work?

Knowing how PKI works can help you understand why it’s essential and how your organization can maximize its capabilities. Here’s a closer look at each piece in more detail:

Cryptography and encryption

Although related, these terms are not interchangeable. Cryptography is the science of securing communications through code, whereas encryption is a subset of cryptography that does this using mathematical algorithms. Both obfuscate sensitive information, rendering them unreadable to unauthorized entities.

Encryption algorithms fall into two categories:

  • Symmetric encryption: This method uses the same cryptographic key to encrypt (secure) and decrypt (unlock) data. Despite the simplicity, it’s akin to putting all your eggs in one basket — anyone who compromises the key can access whatever it’s protecting.
  • Asymmetric encryption: By contrast, asymmetric encryption is used throughout PKI, hence why it’s also called “public key cryptography.” This method uses a mathematically linked key pair to handle encryption and decryption separately. Since the private key permits access, it’s known only to the entity receiving the protected message.

Let’s say you want to send a confidential message to John. You encrypt the message using John's public key, which is available to anyone. This ensures only John's private key, which he keeps secure, can decrypt the message. This setup prevents anyone else, including potential attackers, from reading the contents.

But how do you know the public key you received belongs to who you think it does? Without authentication, you risk falling victim to a man-in-the-middle (MITM) attack. That’s when an imposter uses a public key to intercept and alter communications for nefarious purposes, such as harvesting data.

Fortunately, that’s where digital certificates come into play.

Digital certificates

A digital certificate, sometimes called a “public key certificate,” is an electronic document used to identify the owner of a public key. This allows the recipient to confirm the key came from a legitimate source, mitigating the risk of an MITM attack. 

Certificates typically include:

  • Identifiable information, such as the certificate holder’s name, the certificate’s serial number, and its expiration date
  • A copy of the public key
  • The digital signature of the issuing CA for proof of authenticity

Certificate authorities

A certificate authority, or certification authority, is a trusted third-party organization that creates and issues digital certificates. In the case of a public CA, they’re also responsible for vetting and validating the identities of certificate holders, making them an integral part of public key infrastructure.

All CAs must maintain a “certificate revocation list.” In short, it documents all certificates revoked by a trusted CA before their scheduled expiration date, identifying any that should no longer be trusted.

Broadly speaking, there are two types of CAs:

  • Root CA: The most trusted type of CA in the PKI hierarchy. A Root CA's certificate is self-signed, which means it’s authenticated by its own digital signature. These CAs form the foundation of trust since their certificates are used to create, sign, and issue certificates to subordinate CAs or directly to end entities.
  • Subordinate CA: An organization certified by a Root CA or a subordinate higher up in the chain. Certificates issued by a Subordinate CA carry the signature of the Root CA, thus inheriting trust. Each certificate in the chain is responsible for certifying the authenticity of the next, creating a continuous and reliable trust path from top to bottom.

How do CAs create digital certificates? The basic process works like this:

  1. Key generation: A user generates a key pair.
  2. Certificate request: The user sends a certificate signing request (CSR) to a CA, including their public key and identifying information.
  3. Verification: The CA validates the user’s identity, often with the help of an RA. 
  4. Certificate issuance: Once verified, the CA issues a digital certificate containing the user’s public key and other identification details. This certificate is also signed by the CA’s private key, creating a digital signature.
  5. Certificate use: When engaging in secure communications, the sender can encrypt the message using the recipient’s public key. Upon receiving it, the recipient can decrypt the message using their private key.

Certificate management systems

Certificate management systems are software solutions that facilitate all aspects of the certificate lifecycle. From certificate enrollment and issuance to distribution, revocation, and renewal, they use automation to streamline processes and ensure cryptographic assets are managed appropriately.

For instance, some solutions keep detailed logs of all related activities, aiding in compliance with regulatory requirements and internal audits. By centralizing management through one source of truth, organizations reduce the risk of mismanaged certificates and improve data protection.

Hardware security modules

Finally, HSMs play a pivotal role in PKI’s security architecture. In basic terms, they’re physical devices designed to protect cryptographic processes by generating, storing, and handling keys in a hardened, tamper-resistant environment.

Take key generation, for example. A hardware security module can create a key pair using high-quality random number generators, crucial for maintaining the strength and integrity of cryptographic systems. Since the keys never leave the device in plaintext form, their exposure to potential vulnerabilities is minimized.

Likewise, one of an HSM’s primary functions is private key storage. Keeping them in a hardware environment protects them from being extracted or compromised by unauthorized entities.

Learn more about Entrust PKI solutions and download our PKI buyer's guide today.

Why is PKI important?

Perhaps the best way to understand why PKI matters is to put its use cases into perspective. Here are some of the most significant ways organizations leverage PKI to their advantage:

1. Secure communication

PKI is a cornerstone for protecting various forms of digital communication, including email, messaging services, and more. Not only does it safeguard these channels, but it also makes them more trustworthy to all parties involved — consumers, partners, employees, citizens, etc.

2. Authentication and access control

PKI provides strong authentication mechanisms for users accessing systems, networks, or online services. Certificates can serve as a form of secure digital identification, ensuring access is granted only to verified users.

These capabilities make PKI especially useful to organizations implementing a Zero Trust security model. Zero Trust operates on the principle of "never trust, always verify," which necessitates continuous authentication to confirm every user and device accessing resources, regardless of location.

Plus, this approach pays off. According to Forrester research, Zero Trust security can amplify business outcomes while improving user experience.

3. Safe internet browsing

Many aspects of PKI are highly relevant to internet browsing and online transactions. With Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, browsers leverage digital certificates to authenticate websites and establish encrypted connections. More simply, they inform end users they’re accessing a trustworthy domain.

TLS/SSL certificates ensure all information transferred between the web server and browser remains private. Websites and servers that lack certificates are susceptible to attacks and risk allowing sensitive data to fall into the wrong hands.

4. Document signing and timestamping

Digital signatures powered by PKI verify the authenticity and integrity of electronic documents. This is essential for legal paperwork, contracts, and other records where proof of originality and consent is required.

Most importantly, document signing certificates serve three key purposes: 

  • Authenticity: The certificate confirms the document has been signed by the individual or entity that holds the corresponding private key to the public key in the certificate.
  • Integrity: Any alteration to the document after it has been signed invalidates the digital signature. This ensures the document received is exactly what the signer had intended to send, without any modifications.
  • Non-repudiation: The signer cannot deny the authenticity of their signature on a document, as the digital signature and the associated certificate provide strong evidence of the signer’s identity and their agreement with the document contents at the time of signing.

5. Code signing

Software developers use code signing certificates to authenticate their scripts. That way, end users can verify the software they download has not been altered. This helps protect against malware, maintain software integrity, and build consumer confidence.

6. Internet of Things (IoT)

With the proliferation of connected devices, machines tend to outnumber human users. These devices — such as sensors that collect, store, and transmit data to other machines — are potentially vulnerable to cyber threats. But, with so many to manage, IoT security has grown increasingly difficult.

By providing each device with a unique digital certificate, PKI ensures robust authentication, verifying the devices communicating are indeed legitimate. This is crucial for preventing unauthorized access and data breaches.

Moreover, PKI facilitates encrypted communications between devices, safeguarding the transmission of sensitive data from eavesdropping and tampering. This comprehensive security approach is essential for maintaining the integrity and confidentiality of data across increasingly complex IoT ecosystems.

PKI best practices

Here are some best practices to make the most of your PKI implementation:

  • Use private key storage: Implement strong mechanisms for protecting private keys, such as using HSMs which provide physical and logical protection against tampering and unauthorized access.
  • Practice regular key rotation and renewal: Keys and certificates should not be used indefinitely. Establish a routine for regular key rotation and certificate renewal to mitigate the risks associated with key exposure and to enhance security. Also, revoke cryptographic assets when necessary, such as if an employee leaves the company or a private key is compromised.
  • Implement strong authentication schemes: Integrate multi-factor authentication (MFA) to enhance security, especially for accessing PKI systems and performing sensitive operations such as certificate issuance or revocation.
  • Centralize certificate and key management: Implement tools and processes for managing the entire lifecycle of certificates, from issuance to revocation or expiry. Ensure these tools facilitate compliance with PKI policies and security standards.
  • Create key backup and recovery policies: Establish and regularly test backup and recovery procedures to confirm that critical PKI components can be recuperated quickly and securely after a disruption or disaster.
  • Keep policies and procedures updated: Certificate policies (CP) and certification practice statements (CPS) are essential to PKI. The CP is a comprehensive document that outlines the different classes of certificates issued by a Certificate Authority and their applicable policies. The CPS details how the CA implements these policies in a technical capacity. Keeping these documents up to date is fundamental to maintaining security, trust, and legal compliance. They should be regularly reviewed and revised to align with the dynamic landscape of cybersecurity, technology, and regulatory changes.

Balance security and user experience with Entrust PKI

Only a comprehensive PKI solutions can achieve the goal of establishing and maintaining a trustworthy networking environment while at the same time providing an automatic, transparent, and user-friendly system. Fortunately, with Entrust, you get everything you need to succeed.

Our Managed PKI services establish certificate-driven identities to secure users, apps, and devices in your evolving enterprise. Plus, our experts will handle the initial setup, configuration, ongoing maintenance, and audits on your behalf. Why? To ensure your PKI implementation is the best it can be.

Learn more about Entrust PKI solutions and download our PKI buyer's guide today.