Library
Back to reading

5.11.7 What Is Public-Key Infrastructure (PKI)?

  1. What Is Public-Key Infrastructure?
  2. Why Is PKI Necessary?
  3. What Is a Digital Certificate?
  4. What Is a Certificate Authority?
  5. Why Do We Trust Certificate Authorities?
  6. What Is a Root Certificate?
  7. What Is a Certificate Chain?
  8. What Happens When You Visit a Secure Website?
  9. What Information Does a Certificate Contain?
  10. What Is Certificate Expiration?
  11. What Happens If a Private Key Is Compromised?
  12. What Is Certificate Revocation?
  13. How Are Revoked Certificates Checked?
  14. What Is Mutual Authentication?
  15. What Is an Internal PKI?
  16. Where Is PKI Used?
  17. What Are the Limitations of PKI?
  18. Will PKI Change in the Future?
  19. Why Is Public-Key Infrastructure Important?

Description

Understand how public-key infrastructures establish trust on the Internet. Learn how certificate authorities, digital certificates, certificate revocation, and trust chains enable secure websites, VPNs, secure email, and software updates.

Introduction

Public-key cryptography solves one of the oldest problems in secure communications by allowing anyone to publish a public encryption key while keeping the corresponding private key secret.

However, this creates another important question: How do we know that a public key really belongs to the person or organization claiming to own it?

Suppose you connect to your bank's website. The website presents a public key so that you can establish an encrypted connection. How can your browser be certain that the key genuinely belongs to the bank and not to an attacker attempting to impersonate it?

Simply publishing a public key is not sufficient. There must also be a trusted method of verifying the owner's identity. This is the role of Public-Key Infrastructure (PKI).

PKI is the framework that enables strangers to trust one another over the Internet. It provides the mechanisms for issuing, distributing, validating, and revoking digital certificates, allowing secure communications between users and organizations that have never previously met.

Today, virtually every secure website, online banking session, virtual private network (VPN), secure email system, and software update depends upon a public-key infrastructure.

What Is Public-Key Infrastructure?

Public-Key Infrastructure (PKI) is a framework of hardware, software, policies, procedures, and trusted organizations that manages public-key cryptography.

Its primary purpose is to establish trust by linking a public key to the verified identity of its owner. So, PKI provides mechanisms for:

Without PKI, users would have no reliable way of determining whether a public key was genuine.

Why Is PKI Necessary?

Imagine receiving an email that claims to be from your bank.

The message contains a public key for encrypted communication. How can you determine whether:

Without some independent method of verification, there is no basis for trust.

PKI solves this problem by introducing trusted third parties that verify identities before issuing digital certificates.

What Is a Digital Certificate?

A digital certificate is an electronic document that binds a public key to the identity of its owner.

A certificate typically contains:

The certificate itself is digitally signed by a trusted Certificate Authority, allowing others to verify that it has not been altered.

What Is a Certificate Authority?

A Certificate Authority (CA) is a trusted organization responsible for issuing digital certificates.

Before issuing a certificate, the CA verifies the applicant's identity according to established procedures. Once satisfied, the CA digitally signs the certificate using its own private key. Anyone who trusts the CA can therefore trust certificates issued by that authority.

Examples include commercial certificate providers, government certification authorities, and internal enterprise CAs.

Why Do We Trust Certificate Authorities?

Trust in PKI depends upon trusted Certificate Authorities.

Operating systems and web browsers contain lists of root Certificate Authorities whose public keys are installed during software installation. When a certificate is presented, the software verifies the issuing authority's digital signature.

If the signature can be verified using one of the trusted root certificates already stored on the computer, the certificate is accepted.

This process establishes a chain of trust.

What Is a Root Certificate?

A root certificate belongs to a root Certificate Authority. Because there is no higher authority to certify it, a root certificate is self-signed.

Its public key is distributed in advance through operating systems, browsers, and other trusted software.

Root certificates form the foundation upon which the entire public-key infrastructure is built.

What Is a Certificate Chain?

Most certificates are not signed directly by a root Certificate Authority.

Instead, an intermediate CA issues certificates on behalf of the root authority. This creates a certificate chain. For example:

When a browser receives a website certificate, it verifies each certificate in the chain until it reaches a trusted root certificate.

If every signature verifies successfully, the chain is considered valid.

What Happens When You Visit a Secure Website?

When a user visits an HTTPS website, several cryptographic operations occur automatically.

The website sends its digital certificate to the browser. The browser then:

Only after these checks succeed does the familiar padlock icon appear.

The entire process normally takes only a fraction of a second.

What Information Does a Certificate Contain?

Although certificate formats vary, they generally include:

Together, this information allows software to verify both identity and authenticity.

What Is Certificate Expiration?

Certificates are valid only for a limited period.

Typical validity periods range from several months to a few years. When the expiration date is reached:

Limiting certificate lifetimes reduces the consequences of compromised keys and encourages regular updates to cryptographic algorithms.

What Happens If a Private Key Is Compromised?

If a private key is stolen, the corresponding certificate can no longer be trusted.

The Certificate Authority therefore revokes the certificate. Software checking the certificate can determine that it has been revoked and reject it.

Rapid revocation helps limit the damage caused by compromised credentials.

What Is Certificate Revocation?

Certificate revocation is the process of invalidating a certificate before its normal expiration date.

Common reasons include:

Revocation allows compromised certificates to be withdrawn quickly from service.

How Are Revoked Certificates Checked?

Two common mechanisms are used.

What Is Mutual Authentication?

Many secure systems authenticate only the server. For example, when visiting a banking website, the browser verifies the bank's identity. Some applications require mutual authentication. In this case:

Mutual authentication is widely used in:

What Is an Internal PKI?

Large organizations often operate their own internal Certificate Authorities.

Internal PKIs issue certificates for:

This allows organizations to manage trust without relying exclusively on commercial Certificate Authorities.

Where Is PKI Used?

Public-Key Infrastructure underpins many modern technologies.

Examples include:

Most Internet users rely on PKI every day without realizing it.

What Are the Limitations of PKI?

Although PKI has proven remarkably successful, it is not without challenges.

These include:

Because trust is concentrated in Certificate Authorities, their security is critically important.

Will PKI Change in the Future?

The emergence of quantum computing is expected to affect many current public-key algorithms.

As post-quantum cryptographic algorithms are standardized, Certificate Authorities and PKI systems will gradually transition to new forms of digital certificates and digital signatures.

Although the underlying cryptographic algorithms may change, the fundamental concept of a trusted infrastructure linking identities to public keys is expected to remain.

Why Is Public-Key Infrastructure Important?

Public-Key Infrastructure provides the trust framework upon which modern secure communications depend. It allows users to verify identities, authenticate public keys, and establish encrypted communication with organizations they have never previously encountered.

Without PKI, secure web browsing, electronic commerce, software distribution, virtual private networks, and countless other Internet services would not be practical.

Summary

Public-Key Infrastructure (PKI) is the framework that establishes trust in public-key cryptography by linking verified identities to public keys through digital certificates. Certificate Authorities issue and sign these certificates, while browsers and operating systems validate certificate chains before establishing secure communications.

PKI enables secure websites, Internet banking, VPNs, secure email, software updates, and many other digital services. By providing trusted authentication and certificate management, it forms one of the essential foundations of modern Internet security.

Back to reading

Return to Chapter 5 FAQ 5.11.7