Public Key Infrastructure (PKI) is kind of a big deal. It underpins widespread web encryption and the entire system of privacy and data protection across the Internet and many other public networks. In short, it’s what makes your SSL certificate work and helps keep your private information private on a daily basis. But what is it, exactly, and how does it work?
Read on to learn all about it.
PKI is a pretty all-encompassing term, but it refers to the systems of policies, procedures, hardware and software related to the use, distribution, management and revocation of digital certificates across the web.
With public key cryptography at its core, PKI is how we encrypt data, authenticate identities, and create digital signatures. It enables the creation of trusted electronic identities by binding public keys with the identities of entities, such as people and organizations.
To summarize, PKI isn’t just one thing, it’s a whole system of things that governs how everyone approaches encryption. It not only creates secure connections to keep sensitive data private, but also helps to authenticate who’s on the other side, so you know they are who they say they are, whether they be a person, service or a thing.
How PKI works
There are three key elements to PKI:
- Digital certificates
- Key pairs
- Certificate Authorities
As we said earlier, PKI binds public keys with identities of entities. It does this through the use of digital certificates. Before we talk about what digital certificates are, let’s hone in on key pairs.
Public key cryptography is based on the use of key pairs: a public key and a private key. A key is basically a string of numbers that is used to transform plaintext into ciphertext, which is basically unreadable text. A public key and a private key are generated at the same time and are mathematically linked. At their most basic, key pairs work as follows: a public key is used to encrypt a message sent to you, while a corresponding private key (which, unlike the public key, is always kept secret) is used to decrypt the message. This is also known as asymmetric cryptography.
So, every digital certificate is made up of a public key (which everyone can see) and a private key (which is, well, private). This is essentially your digital identity. Within PKI, most digital certificates are formatted in what is known as the X.509 standard. Digital certificates also include further information about the entity behind the certificate as well as the signature of the issuing CA.
Now to talk a little about CAs. While PKI is at the heart of digital security across the web, CAs are at the heart of PKI. Not only do they create and manage digital certificates, but they also verify the identity of those seeking a certificate. (You can read more about CAs and why they matter here.) An issued digital certificate (such as an SSL certificate) will have the digital signature of the issuing CA, which gives legitimacy to the certificate.
PKI in action
Let’s take a look at some everyday examples of PKI. We’ll start with SSL certificates, as they are the most commonly used and well-known example of PKI X.509 digital certificates. However, they are by no means the only kind of digital certificate used within PKI.
An SSL certificate encrypts data that’s transmitted between a web server and a client, most typically a website and a web browser. While all SSL certificates offer the same level of encryption, there are multiple different types available based on the number of domains or subdomains you wish to secure, as well as the level of validation a domain owner needs.
Email signing certificates
Also known as a secure email certificate or S/MIME certificate, this kind of PKI certificate secures data sent between two email clients, so they’re mostly used by businesses of all sizes that deal with regularly communicating sensitive information via email. Unlike an SSL, this kind of certificate encrypts data not only while in transit, but also before it even leaves your inbox. It also imprints the email with a digital signature, so that when the intended recipient receives your email, they will know who sent the email and that it hasn’t been tampered with while in transit. It also ensures that emails can only be opened by the intended recipient.
Code signing certificates
This type of PKI certificate is used by software developers and publishers. They secure all manner of downloadable software and applications so that users will know that it is authentic and secure.
Document signing certificates
This certificate allows for the secure signing of digital documents sent over the Internet so that the recipient will know that a document is the real deal and hasn’t been tampered with. This is necessary for all sorts of digital files, from bills and financial documents, to e-statements and contracts. This kind of digital signature is impossible to forge, so recipients will be able to validate the identity of the document’s creator and verify the legitimacy of the file itself.
More than just SSL certificates, PKI is what keeps nearly every element of the Internet secure, whether that be secure communication between email clients, or protecting documents or downloads. We hope you come away from this article with a better understanding of what PKI is and how it works.
If you need to secure your site, be sure to check out the range of affordable SSL certificates we have to offer.