Skip to main content

Public Key Infrastructure (PKI)

PKI is the framework of certificate authorities and digital certificates that binds public keys to verified identities to establish trust.

Public key infrastructure (PKI) is the framework of roles, policies, hardware, and software that manages digital certificates and public-key encryption. Its core job is to bind a public key to a verified identity so parties can trust each other without prior contact.

How It Works

A certificate authority (CA) issues digital certificates that vouch for the link between a public key and an identity, such as a domain name or person. A root CA anchors trust and signs intermediate CAs, which in turn sign end-entity certificates, forming a chain of trust. Clients trust a certificate if they can validate the chain up to a root they already trust.

PKI also covers the full certificate lifecycle: registration, issuance, renewal, and revocation. Revocation is handled through certificate revocation lists (CRLs) or the Online Certificate Status Protocol (OCSP). Certificates carry an expiry date and are increasingly short-lived and automated, as with ACME and Let's Encrypt.

Enterprises often run private PKI to issue internal certificates for services, devices, and mutual TLS.

Why It Matters

Without PKI, you could exchange public keys but not be sure who owned them, leaving you open to impersonation. PKI provides the trust layer that makes TLS, HTTPS, code signing, secure email, and mutual TLS practical at internet scale.

PKI is operationally demanding. Expired or misissued certificates cause major outages, and a compromised CA can undermine trust broadly. Automated certificate management and careful key protection are essential.

Related Terms

PKI builds on asymmetric encryption and enables encryption in transit and mutual TLS. It supports identity systems and integrates with secrets management for key protection.