Loading...

Tech Deep Dive

PKI Infrastructure explained

Scopri cos'è la PKI, a cosa serve, come funziona e perché è fondamentale per la cyber security moderna.

Public Key Infrastructure

Table of contents

  • What is PKI: meaning and structure
  • Purpose and function of PKI
  • Key components of PKI
  • Real-world examples and typical use cases
  • Advantages of Public Key Infrastructure
  • Disadvantages and limitations of PKI
  • Alternatives to PKI

One of the foundational pillars is PKI, short for Public Key Infrastructure. It is a structured system that manages cryptographic keys and digital certificates, ensuring authenticity, confidentiality, integrity, and non-repudiation in digital communications.

This article thoroughly explores the meaning, operation, and real-world applications of PKI, weighing its benefits, limitations, and viable alternatives. The goal is to provide a comprehensive and updated guide for both security professionals and readers interested in data protection.

What is PKI: meaning and structure

Public Key Infrastructure (PKI) is a cryptographic architecture made up of roles, policies, hardware, software, and procedures used to securely create, manage, distribute, use, store, and revoke digital certificates and asymmetric cryptographic keys.

Asymmetric cryptography: the heart of PKI

At the core of PKI lies asymmetric encryption, which differs from symmetric encryption by using a key pair:

  • A public key, which can be shared openly.
  • A private key, which must remain secret and protected.

These keys are mathematically linked, so that what is encrypted with one can only be decrypted with the other. This mechanism enables digital signing and secure encryption.

Here’s a simple OpenSSL example for generating a 2048-bit RSA key pair:

# Generate a private key

openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048

# Extract the public key from the private key

openssl rsa -pubout -in private_key.pem -out public_key.pem

Digital certificates: verified identity

A public key alone does not prove who owns it. This is where digital certificates come in. A certificate is a structured file that binds a verified identity (person, server, organization) to a public key.

Each certificate includes:

  • The subject name (common name or CN)
  • The public key
  • The issuing CA
  • The CA’s digital signature
  • The validity period
  • The cryptographic algorithm (e.g., SHA256-RSA)

The Certification Authority (CA) acts as a trusted third party, verifying the identity of the entity and signing the certificate with its private key. Any system can then validate the certificate’s authenticity using the CA’s public key, which is embedded in operating systems and browsers.

Example to create a Certificate Signing Request (CSR) in OpenSSL:

openssl req -new -key private_key.pem -out request.csr

The CSR is sent to a CA, which checks the information and returns a signed certificate:

# Simulate certificate signing (internal CA)

openssl x509 -req -in request.csr -CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial -out certificate.pem -days 365 -sha256

Purpose and function of PKI

The main purpose of Public Key Infrastructure (PKI) is to enable secure communication over untrusted networks, such as the Internet. This is achieved through the combination of asymmetric cryptography, digital certificates, and certification authorities. PKI provides the foundation of a trust model essential for secure digital transactions.

Core PKI functions

Let’s explore the four essential functions of PKI with real-world examples.

1. Authentication

PKI verifies the identity of communication parties. When a server presents a digital certificate signed by a CA, the client checks that the server is legitimate.

Real-world example:

When accessing https://www.mybank.com, the browser ensures the SSL/TLS certificate is:

  • issued by a trusted CA (e.g., DigiCert),
  • valid for the correct domain,
  • not expired.

# Check a site’s SSL certificate

openssl s_client -connect www.mybank.com:443

2. Confidentiality

PKI enables data encryption, ensuring that only the intended recipient (with the private key) can decrypt the message.

Real-world example:

With S/MIME, emails are encrypted with the recipient’s public key. Only the recipient’s private key can decrypt them.

3. Integrity

Ensures that data is not altered during transmission. This is achieved with digital signatures that verify content integrity.

Real-world example:

Digitally signing a .pdf produces a hashed fingerprint. If the document is modified, signature verification fails.

# Generate SHA256 hash of a document

sha256sum contract.pdf

4. Non-repudiation

Using a digital signature, the sender cannot deny having sent a message, because only their private key could have generated it.

Real-world example:

An e-invoice signed with a smart card is legally binding in many countries.

Critical PKI-based use cases

PKI is essential in multiple scenarios:

  • HTTPS
    Every secure website uses SSL/TLS certificates.
  • Digital signatures
    For contracts, PDFs, and software.
  • Strong authentication
    Smart cards and hardware tokens.
  • Certified email (PEC)
    Combines signature and secure delivery.
  • Corporate VPNs and Wi-Fi
    Client authentication via certificates.

Key components of PKI

A properly functioning Public Key Infrastructure depends on several essential components, each playing a specific role in the lifecycle of digital certificates and cryptographic key pairs.

Here’s a breakdown of the core PKI elements with technical use cases and command-line examples.

1. Certification Authority (CA)

The CA is the trusted entity that:

  • issues digital certificates,
  • signs them using its private key,
  • revokes compromised certificates,
  • publishes revocation information via CRLs.

There are public CAs (like Let’s Encrypt, GlobalSign) and private CAs often used within organizations.

Self-signed CA creation:

openssl genpkey -algorithm RSA -out ca_key.pem -pkeyopt rsa_keygen_bits:4096

openssl req -x509 -new -key ca_key.pem -sha256 -days 3650 -out ca_cert.pem

2. Registration Authority (RA)

The RA acts as a gatekeeper between the end user and the CA, validating identity or domain ownership before a certificate is issued. In corporate PKIs, RA duties are often delegated to internal helpdesks or automated systems.

3. Repository

The repository stores:

  • Issued certificates,
  • CRLs (Certificate Revocation Lists),
  • CA certificates and trust chains.

It can be served via HTTP, LDAP, or DNSSEC-enabled DNS.

Example: Downloading a CRL

wget http://ca.mydomain.com/crl/ca_revocation_list.crl

4. X.509 Digital Certificates

X.509 is the standard format for digital certificates, containing:

  • Subject info (CN, organization…),
  • Public key,
  • Issuer CA,
  • Validity period,
  • Digital signature.

Inspecting a certificate:

openssl x509 -in certificato.pem -noout -text

Example of output:

Subject: CN=www.miodominio.it

Issuer: CN=My Root CA

Validity:

    Not Before: Apr 20 12:00:00 2025 GMT

    Not After : Apr 20 12:00:00 2026 GMT

5. Cryptographic key pairs

Every certificate includes a public/private key pair:

  • The public key is shared and used for encryption or verifying signatures.
  • The private key must remain secret and is used to decrypt or sign.

Compromise of the private key invalidates the certificate immediately.

Encrypting and decrypting:

openssl rsautl -encrypt -inkey public_key.pem -pubin -in message.txt -out encrypted.bin

openssl rsautl -decrypt -inkey private_key.pem -in encrypted.bin -out decrypted.txt
Typical use cases

Real-world examples and typical use cases

PKI powers a vast number of daily and professional applications. These use cases ensure secure digital communications by enabling authentication, encryption, integrity, and non-repudiation.

Here are four key scenarios:

1. HTTPS and SSL/TLS certificates

What it is:

When you visit a website via HTTPS, the server presents a digital certificate (SSL/TLS). This certificate includes the server’s public key, signed by a trusted CA.

The browser checks that:

  • the certificate is valid and signed by a recognized CA,
  • the domain name matches,
  • the certificate is not expired or revoked.

A TLS session is then established securely.

OpenSSL Example:

# Check SSL/TLS certificate

openssl s_client -connect www.example.com:443

This displays issuer, subject, validity dates, and other metadata.

2. Digital document signing

What it is:

In legal and administrative environments, digital signatures ensure:

  • the document has not been altered,
  • the signer’s identity is authentic,
  • the document is legally valid.

Digital signatures use the signer’s private key and can be verified with their public key in the digital certificate.

Example with OpenSSL:

# Create a digital signature

openssl dgst -sha256 -sign private_key.pem -out signature.bin contract.pdf

# Verify the signature

openssl dgst -sha256 -verify public_key.pem -signature signature.bin contract.pdf

3. Secure VPN or corporate network access

What it is:

Enterprise VPNs often use PKI-based client certificates to authenticate users more securely than with passwords.

Each user receives:

  • a client certificate,
  • a private key,
  • the CA certificate.

The VPN server authenticates the client based on the certificate chain.

Sample OpenVPN config:

client

cert client-cert.pem

key client-key.pem

ca ca-cert.pem

This setup enhances security by eliminating password-based login risks.

4. Secure email (S/MIME)

What it is:

S/MIME allows users to:

  • digitally sign emails,
  • encrypt email content for confidentiality.

It relies on personal certificates and is supported by most modern email clients.

How it works:

  • The sender signs the email with their private key.
  • The message is encrypted with the recipient’s public key.
  • The recipient decrypts with their private key and verifies the sender’s signature with their public key.

S/MIME is widely used in finance, legal, and healthcare sectors for compliance.

Advantages of Public Key Infrastructure

1. Strong security

The combination of asymmetric encryption and identity verification by CAs makes PKI a highly secure system.

2. Scalability

A single CA can manage millions of certificates, making PKI suitable for large-scale deployments.

3. Automation and integration

Tools like ACME (used by Let’s Encrypt) allow full automation of certificate issuance and renewal.

4. Centralized trust

Trust is built on a system of root CAs embedded in operating systems and browsers, enabling broad and fast adoption.

Disadvantages and limitations of PKI

1. Centralized trust dependency

CAs are single points of failure. If compromised, the trust in all certificates they issued is broken. A notable case was DigiNotar in 2011, where a hacked Dutch CA issued fake certificates.

2. Management complexity

Operating an internal PKI requires expert knowledge, infrastructure, and continuous monitoring.

3. Revocation inefficiency

Revocation mechanisms like CRL and OCSP are not always real-time, potentially leaving windows of vulnerability.

Alternatives to PKI

Despite its widespread adoption, PKI alternatives are emerging for specific use cases:

1. Web of Trust (WoT)

Used historically in PGP, WoT relies on decentralized trust where users manually verify and sign each other’s keys. It’s ideal for small communities but not scalable.

2. Blockchain-based PKI

Systems like CertCoin or Blockchain ID use public blockchains to store certificate data, making unauthorized changes virtually impossible.

3. DANE (DNS-based Authentication of Named Entities)

This protocol uses DNSSEC to bind certificates to domain names. Technically promising, DANE remains underused in practice.


Questions and answers

  1. What is PKI in simple terms?
    It’s a system that manages cryptographic keys and certificates to secure online communications.
  2. What is a digital certificate used for?
    It links a public key to a verified identity and enables secure communications.
  3. What’s the difference between symmetric and asymmetric encryption?
    Symmetric uses one key; asymmetric uses a pair of public and private keys.
  4. Who issues digital certificates?
    Certification Authorities (CAs), trusted entities preinstalled in browsers.
  5. What happens if a CA is compromised?
    All certificates issued by it may become untrustworthy and must be revoked.
  6. How can I check a certificate?
    Using tools like OpenSSL or through browser-integrated checks.
  7. How long does a digital certificate last?
    Usually between 1 to 3 years, depending on the CA policy.
  8. Can I set up my own PKI?
    Yes, many organizations run private PKIs for internal use.
  9. What is a CRL?
    A list of certificates revoked by a CA, published regularly.
  10. What’s the future of PKI?
    It’s expected to evolve toward quantum-safe and decentralized models.
To top