Table of contents
- What is PKI: meaning and structure
- Purpose and function of PKI
- Key components of PKI
- Real-world examples and typical use cases
- Advantages of Public Key Infrastructure
- Disadvantages and limitations of PKI
- Alternatives to PKI
One of the foundational pillars is PKI, short for Public Key Infrastructure. It is a structured system that manages cryptographic keys and digital certificates, ensuring authenticity, confidentiality, integrity, and non-repudiation in digital communications.
This article thoroughly explores the meaning, operation, and real-world applications of PKI, weighing its benefits, limitations, and viable alternatives. The goal is to provide a comprehensive and updated guide for both security professionals and readers interested in data protection.
What is PKI: meaning and structure
Public Key Infrastructure (PKI) is a cryptographic architecture made up of roles, policies, hardware, software, and procedures used to securely create, manage, distribute, use, store, and revoke digital certificates and asymmetric cryptographic keys.
Asymmetric cryptography: the heart of PKI
At the core of PKI lies asymmetric encryption, which differs from symmetric encryption by using a key pair:
- A public key, which can be shared openly.
- A private key, which must remain secret and protected.
These keys are mathematically linked, so that what is encrypted with one can only be decrypted with the other. This mechanism enables digital signing and secure encryption.
Here’s a simple OpenSSL example for generating a 2048-bit RSA key pair:
# Generate a private key
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
# Extract the public key from the private key
openssl rsa -pubout -in private_key.pem -out public_key.pem
Digital certificates: verified identity
A public key alone does not prove who owns it. This is where digital certificates come in. A certificate is a structured file that binds a verified identity (person, server, organization) to a public key.
Each certificate includes:
- The subject name (common name or CN)
- The public key
- The issuing CA
- The CA’s digital signature
- The validity period
- The cryptographic algorithm (e.g., SHA256-RSA)
The Certification Authority (CA) acts as a trusted third party, verifying the identity of the entity and signing the certificate with its private key. Any system can then validate the certificate’s authenticity using the CA’s public key, which is embedded in operating systems and browsers.
Example to create a Certificate Signing Request (CSR) in OpenSSL:
openssl req -new -key private_key.pem -out request.csr
The CSR is sent to a CA, which checks the information and returns a signed certificate:
# Simulate certificate signing (internal CA)
openssl x509 -req -in request.csr -CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial -out certificate.pem -days 365 -sha256
Purpose and function of PKI
The main purpose of Public Key Infrastructure (PKI) is to enable secure communication over untrusted networks, such as the Internet. This is achieved through the combination of asymmetric cryptography, digital certificates, and certification authorities. PKI provides the foundation of a trust model essential for secure digital transactions.
Core PKI functions
Let’s explore the four essential functions of PKI with real-world examples.
1. Authentication
PKI verifies the identity of communication parties. When a server presents a digital certificate signed by a CA, the client checks that the server is legitimate.
Real-world example:
When accessing https://www.mybank.com, the browser ensures the SSL/TLS certificate is:
- issued by a trusted CA (e.g., DigiCert),
- valid for the correct domain,
- not expired.
# Check a site’s SSL certificate
openssl s_client -connect www.mybank.com:443
2. Confidentiality
PKI enables data encryption, ensuring that only the intended recipient (with the private key) can decrypt the message.
Real-world example:
With S/MIME, emails are encrypted with the recipient’s public key. Only the recipient’s private key can decrypt them.
3. Integrity
Ensures that data is not altered during transmission. This is achieved with digital signatures that verify content integrity.
Real-world example:
Digitally signing a .pdf produces a hashed fingerprint. If the document is modified, signature verification fails.
# Generate SHA256 hash of a document
sha256sum contract.pdf
4. Non-repudiation
Using a digital signature, the sender cannot deny having sent a message, because only their private key could have generated it.
Real-world example:
An e-invoice signed with a smart card is legally binding in many countries.
Critical PKI-based use cases
PKI is essential in multiple scenarios:
- HTTPS
Every secure website uses SSL/TLS certificates. - Digital signatures
For contracts, PDFs, and software. - Strong authentication
Smart cards and hardware tokens. - Certified email (PEC)
Combines signature and secure delivery. - Corporate VPNs and Wi-Fi
Client authentication via certificates.
Key components of PKI
A properly functioning Public Key Infrastructure depends on several essential components, each playing a specific role in the lifecycle of digital certificates and cryptographic key pairs.
Here’s a breakdown of the core PKI elements with technical use cases and command-line examples.
1. Certification Authority (CA)
The CA is the trusted entity that:
- issues digital certificates,
- signs them using its private key,
- revokes compromised certificates,
- publishes revocation information via CRLs.
There are public CAs (like Let’s Encrypt, GlobalSign) and private CAs often used within organizations.
Self-signed CA creation:
openssl genpkey -algorithm RSA -out ca_key.pem -pkeyopt rsa_keygen_bits:4096
openssl req -x509 -new -key ca_key.pem -sha256 -days 3650 -out ca_cert.pem
2. Registration Authority (RA)
The RA acts as a gatekeeper between the end user and the CA, validating identity or domain ownership before a certificate is issued. In corporate PKIs, RA duties are often delegated to internal helpdesks or automated systems.
3. Repository
The repository stores:
- Issued certificates,
- CRLs (Certificate Revocation Lists),
- CA certificates and trust chains.
It can be served via HTTP, LDAP, or DNSSEC-enabled DNS.
Example: Downloading a CRL
wget http://ca.mydomain.com/crl/ca_revocation_list.crl
4. X.509 Digital Certificates
X.509 is the standard format for digital certificates, containing:
- Subject info (CN, organization…),
- Public key,
- Issuer CA,
- Validity period,
- Digital signature.
Inspecting a certificate:
openssl x509 -in certificato.pem -noout -text
Example of output:
Subject: CN=www.miodominio.it
Issuer: CN=My Root CA
Validity:
Not Before: Apr 20 12:00:00 2025 GMT
Not After : Apr 20 12:00:00 2026 GMT
5. Cryptographic key pairs
Every certificate includes a public/private key pair:
- The public key is shared and used for encryption or verifying signatures.
- The private key must remain secret and is used to decrypt or sign.
Compromise of the private key invalidates the certificate immediately.
Encrypting and decrypting:
openssl rsautl -encrypt -inkey public_key.pem -pubin -in message.txt -out encrypted.bin
openssl rsautl -decrypt -inkey private_key.pem -in encrypted.bin -out decrypted.txt

Real-world examples and typical use cases
PKI powers a vast number of daily and professional applications. These use cases ensure secure digital communications by enabling authentication, encryption, integrity, and non-repudiation.
Here are four key scenarios:
1. HTTPS and SSL/TLS certificates
What it is:
When you visit a website via HTTPS, the server presents a digital certificate (SSL/TLS). This certificate includes the server’s public key, signed by a trusted CA.
The browser checks that:
- the certificate is valid and signed by a recognized CA,
- the domain name matches,
- the certificate is not expired or revoked.
A TLS session is then established securely.
OpenSSL Example:
# Check SSL/TLS certificate
openssl s_client -connect www.example.com:443
This displays issuer, subject, validity dates, and other metadata.
2. Digital document signing
What it is:
In legal and administrative environments, digital signatures ensure:
- the document has not been altered,
- the signer’s identity is authentic,
- the document is legally valid.
Digital signatures use the signer’s private key and can be verified with their public key in the digital certificate.
Example with OpenSSL:
# Create a digital signature
openssl dgst -sha256 -sign private_key.pem -out signature.bin contract.pdf
# Verify the signature
openssl dgst -sha256 -verify public_key.pem -signature signature.bin contract.pdf
3. Secure VPN or corporate network access
What it is:
Enterprise VPNs often use PKI-based client certificates to authenticate users more securely than with passwords.
Each user receives:
- a client certificate,
- a private key,
- the CA certificate.
The VPN server authenticates the client based on the certificate chain.
Sample OpenVPN config:
client
cert client-cert.pem
key client-key.pem
ca ca-cert.pem
This setup enhances security by eliminating password-based login risks.
4. Secure email (S/MIME)
What it is:
S/MIME allows users to:
- digitally sign emails,
- encrypt email content for confidentiality.
It relies on personal certificates and is supported by most modern email clients.
How it works:
- The sender signs the email with their private key.
- The message is encrypted with the recipient’s public key.
- The recipient decrypts with their private key and verifies the sender’s signature with their public key.
S/MIME is widely used in finance, legal, and healthcare sectors for compliance.
Advantages of Public Key Infrastructure
1. Strong security
The combination of asymmetric encryption and identity verification by CAs makes PKI a highly secure system.
2. Scalability
A single CA can manage millions of certificates, making PKI suitable for large-scale deployments.
3. Automation and integration
Tools like ACME (used by Let’s Encrypt) allow full automation of certificate issuance and renewal.
4. Centralized trust
Trust is built on a system of root CAs embedded in operating systems and browsers, enabling broad and fast adoption.
Disadvantages and limitations of PKI
1. Centralized trust dependency
CAs are single points of failure. If compromised, the trust in all certificates they issued is broken. A notable case was DigiNotar in 2011, where a hacked Dutch CA issued fake certificates.
2. Management complexity
Operating an internal PKI requires expert knowledge, infrastructure, and continuous monitoring.
3. Revocation inefficiency
Revocation mechanisms like CRL and OCSP are not always real-time, potentially leaving windows of vulnerability.
Alternatives to PKI
Despite its widespread adoption, PKI alternatives are emerging for specific use cases:
1. Web of Trust (WoT)
Used historically in PGP, WoT relies on decentralized trust where users manually verify and sign each other’s keys. It’s ideal for small communities but not scalable.
2. Blockchain-based PKI
Systems like CertCoin or Blockchain ID use public blockchains to store certificate data, making unauthorized changes virtually impossible.
3. DANE (DNS-based Authentication of Named Entities)
This protocol uses DNSSEC to bind certificates to domain names. Technically promising, DANE remains underused in practice.
Questions and answers
- What is PKI in simple terms?
It’s a system that manages cryptographic keys and certificates to secure online communications. - What is a digital certificate used for?
It links a public key to a verified identity and enables secure communications. - What’s the difference between symmetric and asymmetric encryption?
Symmetric uses one key; asymmetric uses a pair of public and private keys. - Who issues digital certificates?
Certification Authorities (CAs), trusted entities preinstalled in browsers. - What happens if a CA is compromised?
All certificates issued by it may become untrustworthy and must be revoked. - How can I check a certificate?
Using tools like OpenSSL or through browser-integrated checks. - How long does a digital certificate last?
Usually between 1 to 3 years, depending on the CA policy. - Can I set up my own PKI?
Yes, many organizations run private PKIs for internal use. - What is a CRL?
A list of certificates revoked by a CA, published regularly. - What’s the future of PKI?
It’s expected to evolve toward quantum-safe and decentralized models.