PKI is a complex infrastructure for managing digital certificates and it would all fall apart without trusted certificate authorities.

You may have heard the acronym “PKI,” but chances are you’re not especially sure what it means. You’re not alone. PKI stands for ‘Public Key Infrastructure.’ While many the concept of a Public Key Infrastructure is commonly discussed in the IT world, it’s not always well understood.

Understanding public key infrastructure (PKI) / PKI Certificate

As the name suggests a Public Key Infrastructure is an infrastructure that uses digital certificates as an authentication mechanism and is designed to manage those certificates and their associated keys.

Public Key Encryption is also known as asymmetric encryption, and it’s very popular because it is more secure than secret key encryption (also known as symmetric) encryption. In Public Key Encryption, two related keys, one public and one private, work together to with one used for encryption and the other used for decrypting. In this model, the public key – as the name would suggest – is publicly available to anyone who wants to begin encrypted communication with the holder of the private key. The private key is never shared.

The problem that PKI solves stems from the difficulty of verifying that a public key is actually owned by the person or entity that claims it. Hence the use of digital certificates and PKI. In this scenario, a trusted third-party certificate authority validates the identity of the person or organization it is issuing the key pair too. From there, via the use of the accompanying digital certificate that is issued, anyone can verify the identity of the key-holder.

A digital certificate / PKI Certificate contains information about the key-holder, the public key, an expiration date and the signature of the Certificate Authority that issued it. Unfortunately, managing digital CA certificates can be a challenge, so Public Key Infrastructure was created to help provide a framework for issuance, renewal, and revocation of these digital certificates.

Components of PKI Certificate

Public Key Infrastructures are not universal – it’s not as if there’s a single PKI that governs all digital certificates. Rather, a PKI can be built for a single organization and implemented only on that organization’s network or it can be a much larger commercial PKI that governs certificates issued to internet users.

Regardless, all PKIs feature the following four components:

  • A Certification Authority to issue certificates – A trusted CA is the only entity that can issue trusted digital certificates. This is extremely important because while PKI manages more of the encryption side of these certificates, authentication is vital to understanding which entities own what keys. Without a trusted CA, anyone can issue their own keys, authentication goes out the window and chaos ensues.
  • Policies that govern the PKI – Bear in mind that PKI is largely about governance and management of digital CA certificates. In order to achieve both, a set of rules or guidelines must be in place to ensure things go smoothly. For smaller PKIs, these guidelines or often determined in-house by an IT admin or someone knowledgeable. For larger commercial PKIs, they’re determined by a collective of browsers and certificate authorities called the CA/B Forum.
  • The Digital Certificates themselves – It’s kind of tough manage a group of digital certificates that don’t exist. In order for a PKI to work and exist properly, it needs to have digital certificates, otherwise—what’s the point?
  • Apps that are written to use the PKI – This last one may seem abstract, it’s really not. This just means any application that is PKI aware and uses the PKI to facilitate an encrypted connection. Take some of the larger commercial PKIs, this would mean web browser, email clients, etc…

PKI Components

What are Certificate Authorities? Why are Certificate Authorities a Vital Part of PKI Certificate?

As we’ve already established, a PKI is a complex system for governing and managing digital certificates. It helps to facilitate encryption while also verifying the owners of the public keys themselves.

This last portion is why the Certificate Authorities are so important. If you remove the CAs from PKI you essentially have a large, unverified group of digital CA certificates, many of which are likely viable but some of which could also be used maliciously given that there’s no way to verify ownership of them. For a layman, this means that someone could essentially misrepresent ownership of a given key and then steal encrypted data—or manipulate it.

We can’t have that. So, as a result, the Certificate Authorities are in place to help with authentication. Authentication simply means you’re proving ownership over a given certificate, and by extension that certificate’s key. The CAs are trusted for a reason, they have invested heavily in their own infrastructure and have robust operations in place that are capable of verifying identities and issuing digital certificates properly. They follow guidelines handed down by the browser community and maintain best practices aimed at ensuring optimal web security.

Basically, they’re trusted for a reason. And because of that trust, we can also trust the certificates they issue, which makes management of those certificates via PKI that much easier.

How Does a Certificate Authority Work? The role of CA

Well in order to be a trusted Certificate Authority you must first have made a multi-million dollar annual investment in the infrastructure that it takes to be an active CA. So there’s already an upfront cost just for doing business. Beyond that, you have to follow guidelines set for by the CA/B forum that govern issuance and authentication practices.

Then you have to start actually issuing certificates. We won’t drill all the way down into roots and intermediates, etc. We’ll just touch on the process of actually authenticating and issuing a digital ca certificate. After the certificate is ordered, depending on the level of validation required, the CA goes to work verifying the identity of the applicant.

If it’s simply a Domain Validation or DV SSL certificate, the CA just checks ownership over the domain and then, once this is satisfied, issues the certificate. For Organization Validation and EV SSL, also known as business validation, the Certificate Authority will use business registration and credit reports to vet the organization applying. This can take between 3-5 days and is typically a fairly extensive process. Once it is complete, the certificate can then be issued and will contain critical details about the business itself.

All of this is essential, especially for a PKI, as it allows the true owner of the keys being managed to be verified and makes the entire endeavor safer and more reliable.

Certificate Authority in PKI

Related Posts

Secure a Website with Trusted SSL Certificates

We offer a wide-range of SSL certificates and it includes all types of SSL certificates such as Wildcard SSL, DV SSL, OV, EV, Multi-Domain SSL Certificates, and Code Signing Certificates.
Buy SSL Certificates at Only $5.45


Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.