Public Key Infrastructure (PKI)

The framework that binds public keys to verified identities through a chain of trust, so two parties who've never met can authenticate.

Last Updated date: July 2026

Public Key Infrastructure (PKI) is a security framework that manages digital certificates and cryptographic key pairs to verify identities and secure data in transit. It binds public keys to verified entities (users, devices, or servers) through a chain of trust anchored by a Certificate Authority (CA).

PKI is the mechanism behind HTTPS, email signing, VPNs, and certificate-based authentication across enterprise networks.

At a Glance

Quick Summary
FieldDetail
CategoryCryptography / Identity & Access Management (IAM)
Related toDigital Certificates, TLS/SSL, Zero Trust, IAM
Primary useIdentity verification and encrypted communication
Key benefitProves who you are talking to, without passwords

Why PKI Is a Foundation of Identity Security

PKI solves a problem that passwords can't: proving identity at scale, across systems that have never met before.

When a user connects to a bank's website, when a device authenticates to a corporate VPN, or when a developer signs code for deployment, none of these parties share a pre-existing secret. PKI provides the trusted third-party mechanism that makes verification possible without prior contact.

For organizations operating under Zero Trust principles, PKI isn't optional. Every connection has to be authenticated. PKI is the infrastructure that makes machine-to-machine and user-to-resource trust decisions verifiable rather than assumed.

Without PKI, identity governance platforms can't enforce least privilege at the network layer. They can govern who should have access, but can't cryptographically prove who is actually connecting.

How PKI Establishes Trust

PKI operates through a structured four-step process:

  • Key pair generation:
    An entity (user, device, or server) generates a public key and a private key. The public key is shared. The private key never leaves the entity's control.
  • Certificate request and verification:
    The entity submits a certificate signing request (CSR) to a Registration Authority (RA), which validates the requester's identity before forwarding to the Certificate Authority.
  • Certificate issuance:
    The CA cryptographically signs the certificate, binding the public key to the verified identity. The certificate is published and available for others to inspect.
  • Verification at connection time:
    When two parties communicate, the receiver checks the certificate against the trusted CA. If the chain is intact and the certificate isn't revoked, the connection proceeds.

Revocation is handled either through Certificate Revocation Lists (CRLs), periodically published lists of invalidated certificates, or via the Online Certificate Status Protocol (OCSP), which checks certificate validity in real time.

Core Components of a PKI System

Certificate Authority (CA)

The root of trust in any PKI deployment. The CA signs and issues digital certificates and is responsible for the integrity of the entire chain. Enterprise deployments often use a two-tier model: an offline root CA and one or more intermediate CAs for daily operations.

Registration Authority (RA)

Handles identity verification before certificate issuance. In large deployments, the RA is separate from the CA. It vets requests so the CA only processes verified identities.

Digital Certificates (X.509)

The core artifact of PKI. Each certificate contains the entity's public key, identity details, validity period, issuing CA, and a cryptographic signature. The X.509 standard governs format across the industry.

Certificate Revocation Infrastructure

Compromised or expired certificates have to be invalidated. CRLs provide a batch revocation list. OCSP provides real-time status. Modern implementations increasingly favor OCSP stapling for performance.

Hardware Security Modules (HSMs)

Physical devices that store root CA private keys in tamper-resistant hardware. HSMs are the industry standard for protecting the keys that underpin an entire PKI deployment.

What PKI Protects Against

PKI's core security guarantees:

  • Man-in-the-middle attacks:
    Certificate validation makes sure the entity you're communicating with controls the private key matching the public key in their certificate.
  • Identity spoofing:
    Without a valid certificate signed by a trusted CA, an attacker can't impersonate a legitimate server or user.
  • Undetected data tampering:
    Digital signatures allow recipients to verify that data hasn't been altered in transit.
  • Repudiation of signed actions:
    A signed transaction can't be credibly denied by the party that holds the private key.

Benefits of PKI for Enterprise Identity Programs

  • Eliminates password-based authentication for machine-to-machine communication
  • Enables certificate-based MFA for privileged access and VPN connections
  • Supports least-privilege enforcement at the network and application layer
  • Provides cryptographic audit trails for compliance with SOC 2, HIPAA, PCI-DSS, and FedRAMP
  • Scales across thousands of devices and users without per-entity configuration

Strengthen Your Certificate Lifecycle Management

Certificate sprawl is one of the leading causes of unplanned outages and security gaps. See how Tech Prescient's Identity Confluence gives you visibility and control across your PKI ecosystem.

PKI Use Cases by Industry

Financial Services

Banks and payment processors use PKI to authenticate inter-system API calls, sign transactions, and secure cardholder data under PCI-DSS. Certificate-based authentication is required for connections between trading systems and clearing networks.

Healthcare

HIPAA-covered entities rely on PKI to encrypt patient data in transit and authenticate clinical devices (infusion pumps, imaging systems) to hospital networks. HIE (Health Information Exchange) networks use PKI to establish trust between provider organizations.

Enterprise IT and SaaS

DevOps teams use code-signing certificates to verify software integrity before deployment. SaaS platforms issue certificates for API authentication, replacing long-lived API keys with time-bound, revocable credentials.

Government and Critical Infrastructure

Federal agencies use PIV (Personal Identity Verification) cards (PKI-based smart cards) for physical and logical access. NIST SP 800-57 and FIPS 140-2 set the cryptographic standards that govern these deployments.

PKI vs. Other Authentication Approaches

ApproachBasis of TrustScalabilityRevocation
PKI / CertificatesCryptographic key pair + CA chainHighCRL / OCSP
Password-basedShared secretHighManual reset
SAML / OAuth tokensSigned assertions from IdPHighToken expiry/revocation endpoint
SSH keysKey pair without CAMediumManual removal from authorized_keys

The key distinction: PKI is the only approach that provides cryptographic proof of identity without requiring the authenticating party to share any secret with the verifier in advance

Implementing PKI in an Enterprise Environment

A staged rollout reduces risk and builds operational confidence:

  • Define your trust hierarchy:
    Decide between a public CA (for example, Let's Encrypt, DigiCert) and a private enterprise CA. Most large organizations run both.
  • Protect root CA keys with HSMs:
    The root CA private key should never exist outside hardware-protected storage.
  • Deploy an intermediate CA for operational use:
    Keep the root CA offline. Intermediate CAs handle day-to-day issuance.
  • Automate certificate lifecycle management:
    Manual certificate tracking leads to expiry-related outages. Integrate with an identity governance platform or dedicated CLM tool.
  • Establish revocation infrastructure:
    Deploy OCSP responders and make sure clients are configured to check revocation status.
  • Audit and rotate regularly:
    Certificate inventories should be reviewed quarterly. Cryptographic algorithms (RSA key lengths, signature hashes) should be evaluated against current NIST guidance annually.

Common PKI Challenges

Certificate sprawl

Organizations often lose track of thousands of certificates across environments. An untracked certificate that expires silently can take down production services.

CA compromise risk

The entire PKI chain depends on the security of the CA. A compromised root CA invalidates trust across all issued certificates, a rare but catastrophic failure mode.

Algorithm agility

Migrating from SHA-1 to SHA-256, or from RSA-2048 to ECC or post-quantum algorithms, requires coordinated re-issuance across the certificate estate.

Operational complexity

PKI requires expertise to deploy correctly. Misconfigurations in revocation checking, certificate pinning, or trust store management are common sources of vulnerability.

Frequently Asked Questions

PKI is the system that allows two parties who have never met to verify each other's identities online. It works by issuing digital certificates, signed by a trusted authority, that prove a public key belongs to a specific person, device, or server.

A public key is shared openly and used by others to encrypt data or verify signatures. A private key is kept secret by its owner and used to decrypt data or create signatures. Data encrypted with a public key can only be decrypted by the matching private key.

Expiry limits the window of exposure if a certificate is compromised without the CA's knowledge. Shorter validity periods, now standard at 1 year for TLS certificates and trending toward 90 days, reduce the risk of undetected compromise.

The CA adds the certificate's serial number to its Certificate Revocation List (CRL) and/or updates its OCSP responder. Clients checking certificate validity will see the revocation status and reject the certificate.

Not exactly. SSL/TLS is a protocol for encrypting web traffic. PKI is the underlying infrastructure (the CAs, certificates, and key management systems) that SSL/TLS relies on to verify server identities before establishing an encrypted connection.

Zero Trust requires continuous verification of every user and device. PKI provides the cryptographic foundation for that verification. Certificate-based authentication is one of the primary mechanisms Zero Trust architectures use to authenticate workloads, devices, and privileged users.

Related Terms

Ready to Get Control of Your Certificate Infrastructure?

Certificate lifecycle management is one of the most overlooked, and most consequential, gaps in enterprise identity programs. Tech Prescient's identity governance platform provides the visibility and automation your security team needs to stay ahead of certificate sprawl, expiry risk, and audit requirements.