Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI) is a framework of policies, procedures, hardware, software, and roles that manage the creation, distribution, storage, and revocation of digital certificates and public keys.
PKI provides the foundation of trust for secure communications on the internet. At its core, PKI enables entities to prove their identity to one another through digital certificates, which bind a public key to the identity of its owner. These certificates are issued and vouched for by trusted third parties known as Certificate Authorities (CAs).
A typical PKI hierarchy includes a root CA at the top, one or more intermediate CAs, and end-entity certificates issued to servers, users, or devices. The root CA's certificate is self-signed and is implicitly trusted by operating systems and browsers. Intermediate CAs allow the root CA to remain offline for security while still issuing certificates through a chain of trust.
PKI also encompasses mechanisms for revoking certificates that have been compromised or are no longer valid, using Certificate Revocation Lists (CRLs) or the Online Certificate Status Protocol (OCSP). Proper PKI management is essential for preventing man-in-the-middle attacks, ensuring data integrity, and maintaining authentication across web applications, email systems, VPNs, and code signing. Organizations must maintain strict controls over their private keys and regularly rotate and audit their certificates to prevent unauthorized access.