Public Key Infrastructure (PKI)

A [Public Key Infrastructure](/en/terms/public-key-infrastructure) (PKI) is a comprehensive system that enables secure electronic communication by applying public-key [cryptography](/en/terms/public-key-cryptography) to bind identities to cryptographic keys and certificates. A PKI provides the processes, people, and technology required to issue, manage, and retire digital certificates, and to validate trust chains across organizational and technical boundaries.

Key components include:

• Certificate Authority (CA): An authority that issues and maintains digital certificates asserting binds between subjects and their public keys.
• Registration Authority (RA): Verifies applicant identity before a certificate is issued.
• Public and private keys: Asymmetric key pairs used for encryption, signing, and identity verification.
• Certificate repository and Directory Services: Storage and lookup of certificates and certificate status.
• Validation protocols: Mechanisms to verify certificate chains (path validation).
• Certificate policies and CPS: Rules that govern certificate issuance, usage, and lifecycle.
• Trust anchors: Root CAs that form the base of trust in a PKI hierarchy.

Lifecycle and operations:
- Enrollment and issuance: Identity verification, key generation, certificate creation, and delivery of the certificate to the subject.
- Renewal and rekey: Periodic renewal and key rotation to mitigate key compromise risk.
- Revocation: Detecting and publishing a certificate that should no longer be trusted (via CRLs or OCSP).
- Validation: Clients validate certificate chains against trusted roots and policy constraints.
- Archival and recovery: Key archival for recovery (where policy permits) and disaster recovery planning.

Common deployment models and edge cases:
- Hierarchical PKI: Root and intermediate CAs providing a scalable trust model; cross-certification enables interoperability across PKIs.
- Offline root CA with online intermediates to reduce exposure risk.
- IoT and device identity PKIs requiring lightweight profiles and scalable enrollment.
- Cross-certification and bridge CAs to support multi-PKI environments.

Important security controls:
- Private key protection: Use of HSMs or secure key devices to protect private keys; strong access controls; hardware-backed storage.
- Key management: Rotation, backup, and secure destruction at end-of-life.
- Revocation and status checking: CRLs and OCSP/OCSP stapling to revoke compromised certificates and to provide timely status.
- Certificate pinning and DANE: Techniques to reduce reliance on third-party trust in specific contexts.
- Audit and governance: CPS/CP policies, regular audits, and incident response planning.

Limitations and challenges:
- PKI complexity: Operational overhead, policy alignment, and cross-domain trust management.
- Revocation latency: Delays in revocation propagation and OCSP responders may affect real-time decisions.
- Scalability: Large CRLs and high certificate issuance rates require robust infrastructure.

Resulting capabilities:
- Authentication: Prove identity by verifying a subject's certificate and signature.
- Confidentiality and integrity: Encrypt data with the recipient's public key or sign data with the sender's private key.
- Non-repudiation: Digital signatures provide evidence of origin and integrity.

In summary, PKI is the backbone of trusted digital interactions across web, email, code signing, and device identity, providing a structured approach to issuing, managing, and validating certificates within a legally governed framework.