Table of Contents

What is PKI (Public Key Infrastructure) in Cyber Security?

Reviewed & Written by:

|

Published:

|

Updated:

January 11, 2025
Table of Contents

PKI stands for Public Key Infrastructure. It is the foundation of modern information security. PKI is a set of practices, policies, and technologies that protect sensitive data from unauthorised access or use. If you’re not using it yet, there are many reasons why you should be. This article explains PKI in simple terms covering PKI infrastructure, the purpose of PKI, 

You can’t afford to risk your company’s reputation by letting cybercriminals steal customer information or trade secrets. With PKI in place, you’ll have peace of mind knowing that your business is doing well after positive results from security assessments,  protected against cyberattacks and other threats to sensitive data.

What is PKI?

PKI is a computer security system that provides public keys and digital certificates to organisations to encrypt public data. The most common use of PKI is to securely exchange sensitive information via the Internet and other public networks, such as federal government agencies. Compliance and regulatory requirements ask for relevant technical and organisational measures to be in place for data protection. Article 32 of the UK GDPR includes encryption as an example of technical measures that should be used, depending upon the risks of processing activities. 

pki what is pki

Public Key Infrastructure (PKI) secures data by encrypting it with large numbers of keys generated from challenging mathematical problems. Each individual’s key is different and allows only them access to their digital files.

Fundamentals of PKI

Cryptographic Security

At the heart of PKI is cryptography – the art of secure communication in the presence of adversaries. Cryptography uses mathematical algorithms to encrypt and decrypt data, making it unreadable to anyone without the correct key.  

Asymmetric Encryption

PKI relies on asymmetric encryption (also known as public-key cryptography), which uses a pair of public and private keys. These keys are mathematically linked, but it’s computationally infeasible to derive the private key from the public key.  

Think of your public key as your publicly listed phone number – anyone can look it up and use it to contact you. Your private key, on the other hand, is like your personal diary – you keep it secret and never share it with anyone.

pki public key infrastructure pki 1

Digital Signatures

Digital signatures use asymmetric encryption to authenticate and non-repudiate (proof that someone sent a message). When you digitally sign a document, you use your private key to create a unique signature. Anyone with your public key can verify that the signature is authentic and that the document hasn’t been tampered with.  

Mathematics Behind PKI

The magic of PKI lies in complex mathematical algorithms, such as RSA (Rivest–Shamir–Adleman). These algorithms ensure that it’s virtually impossible to crack the encryption without the private key.  

pki components

   

Core Components of PKI Certificate

A PKI isn’t just about keys; it’s a whole infrastructure. Here are the key components: 

Certificate Authorities (CAs)

CAs are trusted third parties that issue digital certificates. Think of them as the digital passport offices. They verify the identity of individuals or organisations and issue certificates that bind their identity to their public key. 

Registration Authorities (RAs)

RAs assist CAs in verifying the identity of certificate applicants. They act as intermediaries, handling the initial vetting process before passing the information to the CA. 

Validation Authorities (VAs)

VAs provide online certificate status checking, allowing users to verify if a certificate is still valid and hasn’t been revoked. This prevents the use of compromised certificates.  

Digital Certificates

Digital certificates are the core of PKI. They’re electronic documents that bind a public key to an identity. They contain information such as the certificate holder’s name, the public key, the CA that issued the certificate, and the certificate’s validity period.   

Key Storage

Securely storing private keys is paramount. If a private key is compromised, the entire system’s security is at risk.

Hardware Security Modules (HSM)

HSMs are dedicated hardware devices designed to securely store and manage cryptographic keys. They provide a high level of protection against theft and tampering.   

End Entities

End entities are the individuals, organisations, or devices that use certificates. They are the ultimate beneficiaries of the PKI system.   

In essence, PKI provides a framework for establishing trust in the digital world. Using digital certificates and a trusted hierarchy of CAs, PKI enables secure communication, authentication, and non-repudiation, which are essential for secure online transactions and interactions.

 

What is the purpose of PKI?

PKI is used for encryption and digital signatures, ensuring that the information you send stays protected from attackers. PKI can be used to ensure your identity on the web. It’s used in every instance of data encryption when using the Internet. This form of cryptography secures electronic communication with applications like email and VPNs (Virtual Private Networks), ensuring that your information is safe while browsing the web.

Who uses PKI?

PKI is used in various security systems, from identity authentication to secure shipping on the WWW (World Wide Web). It’s commonly used by governments, education systems, banks, e-commerce merchants, and others who handle sensitive data.

PKIs are used in several scenarios, most notably to encrypt information sent via email and other forms of digital communication. Online merchants also use this type of encryption to ensure the safety of credit card transactions over the web, protecting the individual’s financial data from intruders. Government agencies may also use PKI to encrypt data, such as tax returns.

pki benefits

Public Key Infrastructure (PKI) for dummies – How it works?

Public Key Infrastructure (PKI) secures data by encrypting it with large numbers of keys generated from challenging mathematical problems. Each individual’s key is different and allows only them access to their digital files. The cryptographic system used with PKI (public-key cryptography) protects data in motion by ensuring it is digitally signed before being transmitted over networks such as the Internet and other public communications systems.

PKI consists of a set of public and private cryptographic keys. The public key can be shared without security concerns, while the private key is typically secret. Certificates are created and stored on a third party, usually called a certificate authority (CA), set up to provide this service. These certificates are then used by the individuals who need them to encrypt documents, authenticate electronic messages, and digitally sign contracts. There are many ways (internal, from a CA, etc.) to create these keys and certificates, each with benefits and disadvantages.

PKI is hierarchical, with each organisation having its sub-CA certificate that other CAs have signed. This hierarchy allows for proper verification since each entity in the chain who signs must verify the information presented about an individual requesting these.

How PKI works

Pros of PKI Certificates

PKI brings a whole host of advantages to the digital table, making it a cornerstone of modern online security:

  • Authentication: PKI provides rock-solid authentication, verifying the identity of people, organisations, and devices. This gives you confidence that you’re dealing with the right entity online.
  • Integrity: Digital signatures ensure that your data hasn’t been fiddled with during its journey across the internet. If even a single character is altered, the signature becomes invalid, acting as a red flag for tampering.
  • Non-Repudiation: PKI offers non-repudiation, meaning a sender can’t deny sending a message or signing a document. This is crucial for legal agreements, contracts, and anything where proof of origin matters.
  • Confidentiality: Through encryption, PKI keeps your data private during transmission. Only the intended recipient with the corresponding private key can unlock and read the message.
  • Scalability: PKI can handle large numbers of users and devices, making it suitable for everything from small businesses to sprawling multinational corporations.
  • Trust: The hierarchical structure of Certificate Authorities (CAs) builds a chain of trust, allowing users to have faith in certificates issued by reputable CAs.

Cons of PKI Certificates

While PKI has plenty going for it, it’s worth being aware of its potential drawbacks:

  • Complexity: Setting up and managing a PKI can be a bit of a technical undertaking, requiring specialist know-how and infrastructure.
  • Cost: Implementing and running a PKI, particularly for larger organisations, can involve significant costs.
  • Certificate Revocation: Dealing with compromised certificates can be tricky. If a certificate is compromised, it needs to be revoked quickly to prevent misuse. Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP) are used for this, but they aren’t without their own limitations.
  • Single Point of Failure: If a root CA is compromised, the trust in the entire PKI system is undermined. This highlights the importance of choosing trustworthy and well-established CAs.
  • Key Management: Keeping private keys secure is absolutely vital. If a private key is lost or falls into the wrong hands, it can have serious repercussions.

Common Use Cases of PKI

PKI is used in a wide range of applications, securing many aspects of our digital lives:

  • HTTPS (Secure Hypertext Transfer Protocol): This is probably the most common place you encounter PKI. HTTPS uses SSL/TLS certificates to encrypt communication between your web browser and websites, ensuring secure online shopping and banking and protecting sensitive information like passwords and card details. The padlock icon in your browser tells you PKI is at work.
  • Secure Email Communication: PKI can encrypt and digitally sign emails, ensuring confidentiality and confirming the sender’s identity. This stops prying eyes from reading your messages and verifies they came from who they say they did. S/MIME (Secure/Multipurpose Internet Mail Extensions) is a widely used standard.
  • Digital Document Signing: PKI enables digital signatures, providing a secure and legally sound way to sign electronic documents. This replaces traditional ink signatures with a more robust and verifiable method, often used for contracts, legal paperwork, and other important documents.
  • Mobile Signatures: Similar to digital document signing, PKI allows for secure mobile signatures on smartphones and tablets, enabling secure authentication and document signing on the go.
  • Code Signing: Software developers use PKI to digitally sign their code, verifying its origin and ensuring it hasn’t been tampered with. This protects users from downloading dodgy software.
  • VPNs (Virtual Private Networks): PKI is used to authenticate users and devices connecting to VPNs, creating secure connections across public networks like the Internet. This is essential for securing remote access to company networks and protecting data using public Wi-Fi hotspots.
  • IoT (Internet of Things) Device Authentication: With the explosion of connected devices, PKI is crucial for authenticating and securing communication between them. This is vital for the security and integrity of IoT systems.
  • User Authentication to Applications: PKI can be used for strong user authentication to web apps and other online services, providing a more secure alternative to simple username/password logins.

X.509 Public Key Infrastructure

X.509 standard is a digital certificate standard that describes the structure of certificates, certificate revocation lists, and certificate format for the certificate documents. It was developed by the International Telecommunication Union (ITU-T) and is based on earlier standards such as X.509 v3 and ISO 9594-8.

Purpose of X.509

The primary purpose of this standard is to define a system for representing and communicating information about the digital identities of people or other entities in electronic form over public networks like the Internet.

These certificates use cryptography methods to ensure that only users having legal possession can decrypt the data encrypted with their public key; this helps ensure privacy (data integrity). Encrypted data can be decrypted only by using its associated private key.

People use X.509 certificates for different things. The following are some reasons: encrypting documents, authenticating electronic messages and digitally signing contracts.

There are many ways (internal, from a CA, etc.) to create these keys and certificates, each with benefits and disadvantages.

Each organisation has its sub-CA certificate that other CAs have signed. This hierarchy allows for proper verification since each entity in the chain who signs must verify the information presented about an individual requesting these.

Security threats associated with X.509

Security vulnerabilities associated with digital certificates include Cookies that store keys on users’ hard drives; Key escrow – where a copy of your private key exists outside your organisation, creating risk if it gets lost or stolen; Private key exposure – where someone gains access to your private key without authorisation; and Spoofing – where a threat actor creates a fake certificate that a legitimate CA signs.

When are digital certificates used for?

There are several ways in which a digital certificate can be employed: For encryption of regular data files to ensure security when transmitting information over networks or storing it on hard drives; Digital signatures of electronic documents based on public key infrastructure (PKI) to ensure they have not been altered or forged; They can also provide authentication that the sender of an e-mail is who he claims to be ( i.e., that you are sending e-mails from your bank’s website and not from someone else attempting to spoof the domain).

To be a trusted party, it is good practice for businesses to use certificate authorities to validate digital certificates for signing their e-mails. Without this verification process, anyone could easily create an e-mail that appears to have been sent by your business and spoof the sender’s identity. Finally, they can enable electronic signatures such as those required on contracts when transactions adhere to legal standards.

What are Certificate Revocation List?

Certificate revocation list (CRL) is usually delivered digitally, though they can also be published in printed catalogues. CRLs list all certificates revoked for various reasons, including when an individual no longer works for a company or the private key was compromised. It can also indicate that the public key within a certificate is inadequate to protect information over an Internet connection and must be exchanged with another set of keys.

Certificate revocation lists (CRLs) list all certificates revoked for various reasons, such as when an individual no longer works at a company or when someone’s private key was compromised. It can also indicate that the public key within a TLS or SSL certificate is inadequate to protect information over an Internet connection and must be exchanged with another set of keys.

A certificate database maintains such requests and information. All the certificate requests, issue requests, revoked certificates and related information is stored in a certificate database.

For organisations looking for flexible and cost-effective PKI solutions, open-source implementations offer a compelling alternative to commercial offerings. These tools provide a foundation for building a PKI without the upfront licensing fees, although you’ll still need to factor in the costs of implementation, maintenance, and skilled personnel. Let’s have a look at a few key players:

  • OpenSSL is arguably the most widely used open-source cryptography library and toolkit. While not a complete PKI solution, OpenSSL provides the building blocks for creating CAs, generating certificates, and managing keys. It’s incredibly versatile but requires a good understanding of cryptography and PKI concepts to use effectively. Think of it as the engine – powerful but needing a skilled driver.
  • EJBCA (Enterprise Java Beans Certificate Authority): EJBCA is a fully featured, open-source CA software built on Java EE. It offers comprehensive features, including certificate issuance, revocation, and management. It’s designed for enterprise-level deployments and supports many protocols and standards. It’s a robust option, but its complexity makes it better suited to larger organisations with dedicated PKI teams.
  • XCA (X Certificate and Key Management): XCA is a user-friendly tool for managing certificates and keys. It provides a graphical interface for creating CAs, generating certificates, and managing private keys. While not a full CA solution in the same vein as EJBCA, it’s a handy tool for smaller deployments or managing certificates generated by other CAs, like OpenSSL. It’s a bit like a well-organised toolbox, useful for everyday PKI tasks.

It’s important to remember that while these are open-source, they still require careful planning, implementation, and ongoing maintenance. You’ll need skilled staff to manage the PKI, ensure its security, and handle any issues. Don’t fall into the trap of thinking “free” means “easy.” Proper setup and operation are vital for a secure and reliable PKI.

principles of information security

 

Conclusion

PKI is a fundamental technology underpinning trust and security in the digital world. PKI is crucial in protecting our online interactions from securing websites to enabling digital signatures and authenticating devices. While implementing and managing a PKI can present challenges, its authentication, integrity, confidentiality, and non-repudiation benefits make it an indispensable tool for organisations and individuals. Understanding the core components, pros, cons, and common use cases of PKI is essential for anyone navigating the complexities of modern cybersecurity. Choosing the right PKI solution and implementing effectively helps you to build a strong foundation for secure and trusted digital communication.

 Get in touch to discuss your security concerns around encryption, applications, APIs or infrastructure. Our security experts will help you combat the security challenges in the digital world.

FAQs

Here are some frequently asked questions about PKI:

Are digital certificates secure?

Yes, digital certificates are secure when issued by trusted Certificate Authorities (CAs) and used correctly, relying on robust cryptographic algorithms.

Is PKI the same as SSL?

No, PKI is the underlying infrastructure that supports SSL/TLS (now the standard), providing the framework for issuing and managing the digital certificates that SSL/TLS uses for secure communication.

Is PKI part of cyber security?

Absolutely, PKI is a crucial component of cybersecurity, providing authentication, integrity, and confidentiality, which are fundamental security principles.

What is the role of PKI in Windows?

Windows uses PKI for various functions, including user authentication, secure email (using S/MIME), code signing, and securing network communication.

Is PKI outdated?

No, PKI is not outdated. While there are evolving technologies, PKI remains a cornerstone of digital trust and is continually being adapted to new use cases like IoT and blockchain.

Is PKI public or private?

PKI can be both. Public PKIs are managed by publicly trusted CAs, while private PKIs are operated within organisations for internal use.

Does PKI use a digital signature?

Yes, digital signatures are a core part of PKI, providing authentication and non-repudiation by using asymmetric cryptography.

Good Security Practices Start With the Right Foundations

Explore actionable insights that help businesses map their attack surface and address exploitable risks ranked by real business impact.

Trusted by 150+ UK orgs

Related Reads

Join 1000+ subscribers getting the best tips on cybersecurity, security management, and more!

You may opt-out at any time. Read our privacy policy.

Get in touch

No salesy newsletters. View our privacy policy.

How "Defensible" is your firm compared to UK peers?

Most SMBs and mid-market firms have “silent” gaps in their people, process and tech controls implementation. Take the 90-second maturity audit to see your percentile rank.