What is public key infrastructure (PKI)?

This technology can help secure data using a number of components

Graphic representing security in either data protection or cyber security contexts

Public key infrastructure (PKI) is one of the building blocks of digital encryption and is a fundamental part of most security technologies. It's a system of various technologies and procedures designed to verify the identities and legitimacy of digital entities and domains, which in turn informs other security and verification systems.

First, some background: "Public key cryptography" is a cryptographic theory involving a paired set of two unique but mathematically-linked alphanumeric identifiers, known as a public key and a private key. Any data which has been encrypted with a public key can only be decrypted using the corresponding private key.

PKI is not the same as the secure data transfer method known as public key encryption, which uses the above theory. Public key encryption relies on PKI, but the term 'PKI' actually refers to the broader system which is responsible for verifying identities and handing out public and private keys in the first place.

How does PKI work?

In order to obtain a public and private key pair with which to conduct encrypted transactions, entities must verify that they are, in fact, who they claim to be. PKI is the system responsible for conducting that verification and issuing the keys.

Advertisement - Article continues below
Advertisement - Article continues below

This involves a number of different companies acting in various roles. At the start of this chain is the subject, who wants to obtain a key pair. In order to be issued with one, they must prove their identity by obtaining a digital certificate. To get a digital certificate, they must apply to a registration authority (RA). This entity then verifies the subject's identity based on the specific verification requirements of the PKI in question, as detailed in its certificate policy. This policy is made publicly available, and also includes details about how the PKI is constructed and the uses of specific certificates.

Once the RA is satisfied that the subject's identity is correct, it passes the request on to the certificate authority (CA), which is in charge of approving, issuing and storing digital certificates. CAs can include trusted third-party companies like Comodo, GoDaddy or DigiCert, as well as non-profit institutions like the Let's Encrypt consortium. Certificates issued by the CA are stored in a central directory and managed via a certificate management system, which controls things like access permissions and certificate distribution.

Once the CA approves the request from the RA, it signs and issues a digital certificate to prove that the subject is who they say they are, and issues a unique private and public key pair to go with it. This process can involve multiple layers of hardware and software to perform tasks like automatically cross-checking identity verification data, issuing key pairs and approving requests, which also forms part of the PKI itself.

Where is PKI used?

PKI use features in a large range of applications, but it is most frequently used to protect digital platforms and services. A common deployment is the protection of data transfers so that information being sent over a network can only be viewed by the intended recipient.

It's also used to send emails using OpenPGP (Open Pretty Good Privacy) and S / MIME (Secure / Multipurpose Internet Mail Extensions), user authentication using smart cards and the authentication of client systems using SSL (Secure Socket Layer) signatures or encryption.

You may also encounter a variant of PKI when accessing e-documents and online forms that require user signatures. While there are other ways to verify an e-document, PKI is by far the easiest to use as it's not necessary for the two parties to know each other.

The chain of trust

To enhance the security of PKI, a trusted relationship is needed called a chain of trust. This hierarchy describes the trust relationship between identities when using Subordinate (intermediate) CAs. The main advantage of this is that it enables the delegation of certificates by Subordinate CAs.

A chain of trust is created by validating each hardware and software component from one end right up to the root certificate. This is to ensure that only trusted software and hardware are used in the PKI.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020

Windows 10 and the tools for agile working

20 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020