What Is PKI?
Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
PKI, or Public Key Infrastructure, is the framework used to create, issue, manage, and trust digital certificates and the public-private key pairs behind them. In practical terms, PKI is what helps systems verify identity and encrypt communications at scale for websites, users, devices, applications, and internal services.
If you use HTTPS, VPNs, smart cards, Wi-Fi certificates, or signed software, you are already relying on PKI.
PKI definition
Public Key Infrastructure is a combination of technologies, policies, processes, and trust relationships built around public key cryptography.
Instead of relying only on shared secrets, PKI lets systems use:
- a public key, which can be shared
- a private key, which must stay protected
A digital certificate binds a public key to an identity and is signed by a trusted issuer, typically a certificate authority.
How PKI works
PKI works by creating trusted relationships between identities and cryptographic keys.
A key pair is generated
The process starts when a user, device, application, or server generates a public and private key pair. The private key stays under the control of the owner, while the public key is included in the certificate process.
Protecting the private key is critical. If it is stolen, the identity associated with that certificate may no longer be trustworthy.
A certificate is requested
Next, the owner creates a certificate signing request, or CSR, that includes identifying details and the public key. That request is sent to a certificate authority or approved internal registration process.
A certificate authority validates and issues
The certificate authority, or CA, validates the request and issues a digital certificate. That certificate usually includes:
- the subject identity
- the public key
- the issuer
- validity dates
- allowed uses
- the CA’s digital signature
That signature is what allows other systems to verify that the certificate was issued by a trusted authority and has not been modified.
Systems validate trust
A device, browser, or application checks whether the presented certificate chains back to a trusted root CA in its trust store. It also verifies details such as expiration, hostname, and intended usage.
This trust chain is what allows systems to accept a certificate without already sharing a secret directly.
Certificates are used for identity and encryption
Once issued, certificates can be used to:
- secure HTTPS websites
- authenticate users or devices
- protect VPN connections
- support Wi-Fi authentication
- sign code and software updates
- identify internal services and APIs
- encrypt email or application traffic
For a related primer on secure connections, see what is a vpn.
Certificates must be managed over time
PKI is not just about issuing certificates. It also includes lifecycle management, such as:
- renewing certificates before they expire
- rotating certificates during infrastructure changes
- revoking certificates after compromise
- replacing weak algorithms
- tracking certificate ownership
- removing trust for retired systems
In many environments, certificate sprawl becomes an operational problem if inventory and automation are weak.
Why PKI matters
PKI matters because it provides a scalable way to establish trust. It helps answer questions like:
- Is this really the website I intended to visit?
- Is this device allowed on the network?
- Was this software signed by a trusted publisher?
- Can this service prove its identity to another service?
Without PKI, many common security functions would be much harder to run safely at scale.
PKI also supports broader identity security efforts. If your organization is reducing implicit trust across users and systems, read what is zero trust for the architectural side of that strategy.
Where you’ll encounter PKI
PKI shows up in more places than many teams realize.
HTTPS and TLS certificates
The most visible use case is HTTPS. Public websites use certificates to prove domain identity and protect data in transit.
Enterprise authentication
Organizations also use PKI for:
- VPN access
- Wi-Fi authentication
- smart card logon
- workstation certificates
- device trust for management platforms
- machine-to-machine authentication
Internal services and APIs
Modern applications often rely on certificates for internal service communication, especially in cloud and zero trust environments.
Code signing
Developers and vendors use certificates to sign software, scripts, drivers, and updates so recipients can verify origin and integrity.
Email and document security
Some organizations use PKI for secure email, digital signatures, and document signing workflows.
Common PKI components
A PKI environment usually includes several core pieces.
Certificate authority
A certificate authority issues and signs certificates. This may be a public CA for internet-facing certificates or an internal CA for enterprise systems.
Root CA
A root CA anchors trust. Systems trust certificates that chain back to a root certificate in their trust store.
Intermediate CA
An intermediate CA issues certificates under the root, helping separate operational issuance from the highest-trust root key.
Trust store
A trust store is the list of certificate authorities a system already trusts.
Certificate revocation
Revocation is the process of invalidating a certificate before its normal expiration date, usually because the key is compromised or the identity should no longer be trusted.
PKI challenges and risks
PKI is mature technology, but it still creates operational and security challenges.
Expired certificates
If teams do not track renewals well, expired certificates can break websites, APIs, VPNs, and internal applications.
Weak private key protection
A certificate is only as trustworthy as its private key. Poor storage, backup handling, or access control can undermine the whole model.
Certificate sprawl
Large environments often accumulate certificates across cloud services, load balancers, appliances, containers, and endpoints. Without inventory, ownership becomes unclear.
Misconfigured trust
If systems trust the wrong CA, or trust too broadly, that can create unnecessary risk.
Manual processes
Manual issuance and renewal workflows do not scale well. Automation is often necessary once certificate use expands.
Final takeaway
PKI is the trust framework behind digital certificates, encrypted connections, and key-based identity. It underpins HTTPS, VPNs, Wi-Fi authentication, code signing, device trust, and many internal service-to-service security models.
If your environment depends on certificates to prove identity or secure traffic, PKI is already part of your security architecture whether you call it that or not.