What Is Public Key Infrastructure (PKI) & How Does It Work?
PKI, or public key infrastructure, encompasses everything used to establish and manage public key encryption. This includes software, hardware, policies, and procedures that are used to create, distribute, manage, store, and revoke digital certificates.
A digital certificate cryptographically links a public key with the device or user who owns it. This helps to authenticate users and devices and ensure secure digital communications.
PKI is one of the most common forms of internet encryption, and it is used to secure and authenticate traffic between web browsers and web servers. It can also be used to secure access to connected devices and internal communications within an organization.
Public key infrastructure has a long history of securing and authenticating digital communications with two main goals: to ensure the privacy of the message being sent and to verify that the sender is who they claim to be.
What is public key infrastructure (PKI)?
Public key infrastructure is an important aspect of internet security. It is the set of technology and processes that make up a framework of encryption to protect and authenticate digital communications.
PKI uses cryptographic public keys that are connected to a digital certificate, which authenticates the device or user sending the digital communication. Digital certificates are issued by a trusted source, a certificate authority (CA), and act as a type of digital passport to ensure that the sender is who they say they are.
Public key infrastructure protects and authenticates communications between servers and users, such as between your website (hosted on your web server) and your clients (the user trying to connect through their browser. It can also be used for secure communications within an organization to ensure that the messages are only visible to the sender and recipient, and they have not been tampered with in transit.
The main components of public key infrastructure include the following:
- Certificate authority (CA): The CA is a trusted entity that issues, stores, and signs the digital certificate. The CA signs the digital certificate with their own private key and then publishes the public key that can be accessed upon request.
- Registration authority (RA): The RA verifies the identity of the user or device requesting the digital certificate. This can be a third party, or the CA can also act as the RA.
- Certificate database: This database stores the digital certificate and its metadata, which includes how long the certificate is valid.
- Central directory: This is the secure location where the cryptographic keys are indexed and stored.
- Certificate management system: This is the system for managing the delivery of certificates as well as access to them.
- Certificate policy: This policy outlines the procedures of the PKI. It can be used by outsiders to determine the PKI’s trustworthiness.
Understanding how PKI works
Public key infrastructure uses asymmetric encryption methods to ensure that messages remain private and also to authenticate the device or user sending the transmission.
Asymmetric encryption involves the use of a public and private key. A cryptographic key is a long string of bits used to encrypt data.
The public key is available to anyone who requests it and is issued by a trusted certificate authority. This public key verifies and authenticates the sender of the encrypted message.
The second component of a cryptographic key pair used in public key infrastructure is the private, or secret, key. This key is kept private by the recipient of the encrypted message and used to decrypt the transmission.
Complex algorithms are used to encrypt and decrypt public/private key pairs. The public key authenticates the sender of the digital message, while the private key ensures that only the recipient can open and read it.
The core of a public key infrastructure is trust. It is important for a recipient entity to know without a doubt that the sender of the digital certificate is exactly who they claim to be.
Trusted third-party CAs can vouch for the sender and help to prove that they are indeed who they say they are. Digital certificates are used to verify digital identities.
Digital certificates are also called PKI certificates or X.509 certificates. A PKI certificate offers proof of identity to a requesting entity, which is verified by a third party and works like a digital passport or driver’s license.
The PKI certificate will contain the following:
- Distinguished name (DN) of the owner
- Owner’s public key
- Date of issuance
- Expiration date
- DN of the issuing CA
- Issuing CA’s digital signature
Why is PKI used?
One of the most common uses of PKI is the TLS/SSL (transport layer security/secure socket layer), which secures encrypted HTTP (hypertext transfer protocol) communications.
Website owners will obtain a digital certificate from a trusted CA. To be issued a CA, the owner of the website will have to prove that they are indeed the actual owner. Once verified, the website owner can purchase an SSL certificate to install on the web server. This tells the browser that it is the legitimate website the browser is trying to access.
The TLS/SSL protocol relies on a chain of trust, where the user has to trust the root-certificate granting authority. An alternative scheme is the web of trust, which uses self-signed certificates that are validated by a third party. Web of trust is often used in smaller communities of users, such as within an organization’s self-contained network.
Additional uses for PKI include the following:
- Email encryption and authentication of the sender
- Signing documents and software
- Using database servers to secure internal communications
- Securing web communications, such as e-commerce
- Authentication and encryption of documents
- Securing local networks and smart card authentication
- Encrypting and decrypting files
- Restricted access to VPNs and enterprise intranets
- Secure communication between mutually trusted devices such as IoT (internet of things) devices
Types of open-source PKI
Open-source public key infrastructure is publicly available. Examples of open-source PKI include the following:
- EJBCA Enterprise: Developed in Java as an enterprise-grade and fully featured CA implementation, it can set up CA as a service or for internal use.
- OpenSSL: A commercial-grade, full-featured toolkit, it is included in all major Linux distributions and developed in C. It can PKI-enable applications and be used to build a simple CA.
- CFSSL: This is Cloudflare’s PKI/SSL toolkit for signing, verifying, and bundling TLS certificates and building custom TLS PKI tools
- XiPKI: A high-performance and highly scalable CA and OCSP responder, this is implemented in Java with SHA-3 support.
- Dogtag Certificate System: This is an enterprise-class, full-featured CA supporting all aspects of certificate lifecycle management.
Major browsers and operating systems, such as Apple and Microsoft, publish trust stores that provide a list of trusted root certificates. A trusted root certificate is necessary to instill trust in the provided digital certificate and coinciding CA. A trusted CA is a vital aspect of a public key infrastructure.
PKI uses asymmetric cryptography to encrypt and decrypt digital messages. For more information on asymmetric encryption and the use of public and private cryptographic keys, Okta can answer your questions. Contact us today.
Why Public Key Infrastructure Is a Good Idea. (March 2001). Computer Weekly.
EJBCA Enterprise. (2022). PrimeKey AB.
OpenSSL. (2021). The OpenSSL Project Authors.
Cloudflare/CFSSL. (2022). GitHub, Inc.
Xipki/xipki. (2022). GitHub, Inc.
PKI Main Page. Dogtag PKI.
Available Trusted Root Certificates for Apple Operating Systems. (2022). Apple, Inc.
List of Participants – Microsoft Trusted Root Program. (December 2021). Microsoft Build.
Asymmetric Encryption: Definition, Architecture, Usage. (2022). Okta.
Public vs. Private: Unlocking the Full Potential of Public Key Infrastructure. (December 2021). Forbes.