Introduction to Public Key Infrastructure (PKI)

Before you start

Objectives: Learn what is PKI, what are its components, and how do they work together.

Prerequisites: you should know what is cryptography.

Key terms: CA, certificate, PKI, model, trust, Cas, key, authority, environment, organization, list


PKI is based on standard protocol X.509 which defines the structure and content of certificates. PKI can be used for authentication, confidentiality, integrity, and non-repudiation. PKI is an infrastructure or a framework. All parts of the solution have to work together to provide secure communication. However, the standard does not specify the technology or the algorithm, it just describes the mechanism that need to be provided to support security. PKI is primarily based on the Certificate Authority (CA), which is the centralized control component.


Certificates are used to associate a public key with a claimed owner. Basically, certificates prove identity, and that’s all. Each certificate has a unique serial number, that is defined by the CA, and which binds the certificate with the owner. X.509 compatible certificate standards include several items that are part of certificates. Certificate components are Serial number, subject name, signature algorithm, issuer, valid from/valid to dates, and public key.

Certificate Authority (CA)

Certificate Authority is the component which is used to maintain and issue certificates. CA first identifies the identity of the person or organization. CA then constructs the certificate for that person or organization, and then it validates the certificate by signing it with its own certificate. The certificate is then issued to the person or organization. Multiple CAs can be organized in a hierarchy. At that point, CA is responsible for maintaining, updating and handling the Certificate Revocation List or the CRL. The CRL lists all certificates that have been revoked for some reason other than expiration, like fraud or compromise of the secret key. Note that expired certificates are not on the list.

Registration Authority (RA)

The related component to Certificate Authority is the Registration Authority. RA simply confirms or denies the validity of the certificates. It acts as a man-in-the-middle between the user and the CA to reduce the workload on the CA.

PKI Deployment

When implementing PKI, the first thing we have to have is the Root CA. Under the Root CA, we will have additional CAs, followed by the Registration Authorities (RAs). Any CA below one another is called the Subordinate CA. Any CA between two CAs is called Intermediate CA. After the RAs, we have our users.

1 CA

Sample PKI Environment

When a user requests the certificate, that request goes up to the nearest CA. This CA will issue the certificate, and send it to the client. From that point on, when any user wants to validate the certificate, it only communicates with the nearest RA, instead of contacting the CA. This reduces the workload on the CA. RAs are also responsible for the distribution of the CRLs, when requested by clients. However, RAs don’t make any changes to the CRL.

Certificate Policies

Certificate Policies govern and control the usage of certificates in the specific PKI environment. They define the set of rules that control how certificates can be used, managed and deployed inside the environment.

Certificate Practice Statements

CPS are guidelines on how the CA is to manage certificates it issues. It details the practices and procedures used for certificate management.

Online Certificate Status Protocol (OCSP)

OCSP is a replacement to the Certificate Revocation List (CRL). Instead of sending a complete CRL list on every request, OCSP simply indicates if a specific certificate is valid or not for a specific request. This eliminates the need to maintain and redistribute the CRL which helps to reduce the network traffic.

The Trust Model

When using the PKI environment and CAs, we have to know what kind of trust we want to put in place. There are four different types of trust models. The simplest trust model is a Standalone, single CA. In this model we have a single CA in our environment, no Subordinates and Intermediates, and no trust relationships with any other organizations. The second model is the Cross Certification. In this model we have two or more CAs that establish a trust relationships between each other. This model is best suited for peer-to-peer relationships, such as business partners. The third model is the Hierarchicalmodel. This is when multiple CAs are deployed in single organization. CAs are subordinate to single Root CA in that same organization. The last model is the Web of Trust. In this model all partners trust each other equally.