What is PKI in one sentence?

PKI is the system of certificate authorities, digital certificates, and revocation mechanisms that proves a given public key really belongs to a given identity, so two parties who have never met can trust each other's keys.

What is a certificate authority?

A certificate authority, or CA, is a trusted organization that verifies an identity and then issues a digitally signed certificate binding that identity to a public key. Browsers and operating systems ship with a list of CAs they trust by default.

What is the difference between a public and private key?

A key pair has a public key that can be shared freely and a private key that must be kept secret. Anything encrypted to the public key can only be decrypted by the private key, and a signature made with the private key can be verified by the public key.

What is certificate revocation?

Revocation is how a CA declares a certificate invalid before it expires, usually because the private key was compromised. Clients check revocation status via Certificate Revocation Lists or the Online Certificate Status Protocol, often stapled into the TLS handshake.

Is PKI the same as TLS?

No. TLS is a protocol that uses PKI. PKI provides the certificates and trust chain; TLS uses those certificates to authenticate a server and negotiate an encrypted session. PKI also underpins code signing, email signing, and device identity.

Glossary · Security

What is Public Key Infrastructure (PKI)?

PKI is the framework of certificate authorities, digital certificates, and revocation mechanisms that answers one hard question: when you receive a public key claiming to belong to "your bank," how do you know it actually does? PKI binds keys to verified identities through chains of trusted signatures, which is what lets total strangers on the internet establish trust without ever having exchanged a secret in advance.

The problem it solves

Public-key cryptography lets anyone encrypt a message to your public key or verify your signature — but it has a gaping hole: nothing in the math says a given public key belongs to a given person. An attacker can generate a key pair and claim it is your bank's. PKI fills that gap with a chain of trust. A small number of certificate authorities are trusted in advance, baked into your browser and operating system, and they vouch for everyone else by signing certificates. Trust the authority, and you can transitively trust everyone it has signed for.

Certificates and the chain of trust

A digital certificate — usually in the X.509 format — bundles a public key together with an identity, an expiry date, and the signature of the authority that issued it. Certificates form a chain: a website's certificate is signed by an intermediate authority, which is signed by a root authority your device already trusts. To validate, a client walks the chain upward, checking each signature, until it reaches a trusted root. If every link verifies and nothing has expired or been revoked, the key is accepted. This is the machinery that makes the padlock in your browser meaningful.

Issuance, expiry, and revocation

Certificates have a lifecycle. They are issued after the authority verifies the requester — for a website, often just proof of domain control, which is what services like Let's Encrypt automate for free. They expire on a fixed date, forcing periodic renewal so stale keys do not linger. And they can be revoked early if a private key is stolen. Revocation is checked through Certificate Revocation Lists or the Online Certificate Status Protocol, the latter often "stapled" into the handshake so the server proves its own freshness. Expired or unrenewed certificates are a leading cause of preventable outages.

Where PKI shows up

Most people meet PKI through TLS, the protocol behind HTTPS, which uses certificates to authenticate the server before negotiating an encrypted session. But the same infrastructure underpins code signing — proving an app came from a real publisher and was not tampered with — as well as signed email, document signing, and machine identity in zero-trust networks where every device carries a certificate. Internally, organizations often run a private PKI to issue certificates to their own servers, services, and employees, with their own root authority rather than a public one.

At QUANT LAB

PKI is load-bearing in nearly everything we ship. Our cloud infrastructure builds automate certificate issuance and renewal so a forgotten expiry never takes a service down, and service-to-service traffic is authenticated with certificates rather than shared secrets. When we run a penetration test, we routinely find weak TLS configurations, certificates that are never validated, and private keys sitting unprotected in repositories — any one of which quietly undermines the entire trust model.

Operating PKI without surprises

The recurring lessons are about operations, not cryptography. Automate renewal so humans never have to remember a date. Protect private keys as the crown jewels — ideally in a hardware security module or managed key service, never in source control. Keep the certificate chain short and complete so clients can actually validate it. Plan for revocation before you need it, and test that clients honor it. PKI rarely fails because the math is broken; it fails because a certificate expired, a key leaked, or a chain was misconfigured and nobody noticed until customers did.

Long-form deep-dives that use this term

All posts

Related terms

Certificates causing outages or audit findings?

We automate certificate lifecycle and key management for cloud-first teams, then test the trust model. Book a 30-minute call.

Cloud infrastructure