PKI (public key infrastructure)

Contributor(s): Michael Cobb, Jim Brayton, Andrea Finneman, Nathan Turajski and Scott Wiltsey

A public key infrastructure (PKI) supports the distribution and identification of public encryption keys, enabling users and computers to both securely exchange data over networks such as the Internet and verify the identity of the other party.

Without PKI, sensitive information can still be encrypted (ensuring confidentiality) and exchanged, but there would be no assurance of the identity (authentication) of the other party. Any form of sensitive data exchanged over the Internet is reliant on PKI for security.

Elements of PKI

A typical PKI consists of hardware, software, policies and standards to manage the creation, administration, distribution and revocation of keys and digital certificates. Digital certificates are at the heart of PKI as they affirm the identity of the certificate subject and bind that identity to the public key contained in the certificate.

A typical PKI includes the following key elements:

  • A trusted party, called a certificate authority (CA), acts as the root of trust and provides services that authenticate the identity of individuals, computers and other entities
  • A registration authority, often called a subordinate CA, certified by a root CA to issue certificates for specific uses permitted by the root
  • A certificate database, which stores certificate requests and issues and revokes certificates
  • A certificate store, which resides on a local computer as a place to store issued certificates and private keys

A CA issues digital certificates to entities and individuals after verifying their identity. It signs these certificates using its private key; its public key is made available to all interested parties in a self-signed CA certificate. CAs use this trusted root certificate to create a "chain of trust" -- many root certificates are embedded in Web browsers so they have built-in trust of those CAs. Web servers, email clients, smartphones and many other types of hardware and software also support PKI and contain trusted root certificates from the major CAs.

Along with an entity’s or individual’s public key, digital certificates contain information about the algorithm used to create the signature, the person or entity identified, the digital signature of the CA that verified the subject data and issued the certificate, the purpose of the public key encryption, signature and certificate signing, as well as a date range during which the certificate can be considered valid.

Problems with PKI

PKI provides a chain of trust, so that identities on a network can be verified. However, like any chain, a PKI is only as strong as its weakest link. There are various standards that cover aspects of PKI -- such as the Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (RFC2527) -- but there is no predominant governing body enforcing these standards. Although a CA is often referred to as a “trusted third party,” shortcomings in the security procedures of various CAs in recent years has jeopardized trust in the entire PKI on which the Internet depends. If one CA is compromised, the security of the entire PKI is at risk. For example, in 2011, Web browser vendors were forced to blacklist all certificates issued by the Dutch CA DigiNotar after more than 500 fake certificates were discovered.

A Web of trust

An alternative approach to using a CA to authenticate public key information is a decentralized trust model called a "Web of trust," a concept used in PGP and other OpenPGP-compatible systems. Instead of relying solely on a hierarchy of certificate authorities, certificates are signed by other users to endorse the association of that public key with the person or entity listed in the certificate. One problem with this method is a user has to trust all those in the key chain to be honest, so it’s often best suited to small user communities. For example, an enterprise could use a Web of trust for authenticating the identity of its internal, intranet and extranet users and devices. It could also act as its own CA, using software such as Microsoft Certificate Services to issue and revoke digital certificates.

This was last updated in November 2014

Next Steps

Learn how using the latest email encryption software can help organizations avoid the costs of setting up and maintaining a PKI.

Read about the business benefits deploying email encryption technology that does not rely on PKI and find advice on selecting the best encryption software for your organization.

Continue Reading About PKI (public key infrastructure)

Dig Deeper on PKI and digital certificates

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Nice Article! Well explained :)
Provide the infrastructure that enables entities to establish trust relationships between each other based on their mutual trust of the Certificate Authority you can create and manage your own internal PKI structure in the organization. This would enable you to create, manage, and audit digital certificates in your environment. Tools are available for creating and managing digital certificates in Active Directory
Have recent failings in some certificate authorities’ security measures irreparably damaged trust in the PKI model? Is a PKI alternative needed?
PKI is the best we have at the moment. WOT won't work on a large scale. I'm not saying we shouldn't explore alternatives -- that is always desirable -- however, I don't believe that PKI has been unduly tarnished by the few incidents. You don't throw away the whole bushel of apples just because a few of them have worms; in similar fashion you can't withdraw all trust in PKI simply because a few CAs were compromised. So, no, PKI hasn't been irreparably damaged, and, no, an alternative isn't needed at this time, but should be explored.

Read Security Corner for practical security advice and news.
Costly difficult to use why not get a certificate from the LDAP or make a single call to a server that asks for a symmetric Key
It's critical to ensure security of LDAP.
Good content. I trust this website so much.


File Extensions and File Formats