It’s time to describe one of the core concepts of today’s internet and its security, often called the backbone of digital trust.

Without it, the internet as we know it wouldn’t exist.

There would be no way to verify that someone is who they claim to be.

So what can you expect today?

After reading this article, you will understand:

1. What the goals of the Public Key Infrastructure (PKI) are

2. What functions and components PKI has

3. How it fulfills its goals

And as a bonus, I will tell you exactly what you need to know for cybersecurity exams and interviews.

So if you are serious about cybersecurity, make sure to read this!

Warning: CC, Security+, and CISSP relevant topic!

Do you want to build a career in cybersecurity? Take a 2-minute cybersecurity quiz and get a personalized reading list based on your background and goals.

Core Objectives of PKI

Before we deep dive into individual components of the PKI, I want to make sure absolutely clear.

PKI isn’t about encryption!

Does it use cryptographic algorithms? Absolutely.

But it is only one small part of a complicated system.

And if you’ve been reading Decoded Security for a while, you know that everything needs to be tied to the core cybersecurity objectives - CIANA. (If you’re not familiar with the CIANA triad, just read the Core Cybersecurity Objectives - Summary.)

So what are the core objectives of the PKI?

• Authentication: To confirm that users, devices, and applications are who they claim to be.

• Confidentiality: To encrypt data so that only the authorized recipient can read it.

• Data Integrity: To guarantee that information has not been altered or tampered with during transit.

• Non-Repudiation: To provide proof of the origin of data, preventing a sender from denying they sent a message or signed a document.

Excellent, now we know its goals. Let’s dive into how they are achieved.

Are you interested in how PKI works? Give me a like so I know I am not alone!

PKI - Key function

Now that we know what we want to achieve with the implementation of the PKI, let’s take a look at how it’s achieved.

Key function: PKI manages the entire lifecycle of digital certificates, which bind public keys to specific identities (people, organizations, or devices).

Don’t know what a digital certificate is? Don’t worry, we all have been there.
Read this first: What is the digital certificate?

In other words, it allows us to verify that a specific public key really belongs to a person, organization, or any other entity.

Why is it so important?

Imagine I generate a key set - Public and Private key, and then a certificate

I will simply create a website that looks exactly like your bank. Your browser will ask me for a certificate, so I will simply generate it and send it.

Everything seems legit, and you will start entering your credentials, and..I think you can see the problem now.

For this reason, there is an independent entity that both your browser (or you) and the bank trust, called a certification authority.

This entity would sign my certificate, but only after I provide proof that I am really your bank. Since I can’t provide any kind of proof that I am your bank, they wouldn’t sign my certificate, and you wouldn’t trust me.

The attack just failed.

So, here is the key information I want you to take away from this chapter.

The PKI introduces a system that allows us to bind a public key to a specific entity ( e.g., a bank) by signing its digital certificate that includes its public key.

The digital certificate is signed by a CA (Certification Authority) that is trusted by both communicating parties.

Don’t know how asymmetric encryption works and what a public key is? I got you covered: Asymmetric encryption - Introduction

PKI - The Passport Analogy

I know I dropped a lot of terms on you. Today is about getting the main idea.

So let me use an analogy that helped me to understand the whole system a couple of years back!

Think of PKI like a passport system.

When you travel internationally, border control does not know you personally. But they trust your passport because they trust the government that issued it.

PKI works exactly the same way.

Here is the mapping:

Certificate Authority (CA) = the government: The trusted organization that issues and signs digital certificates. Everyone agrees to trust the CA. If the CA says a certificate is valid, everyone accepts it.

Digital Certificate = your passport: A document that proves your identity online. It contains your public key and is signed by a CA to confirm it is legitimate.

Public Key = your identity: Visible to everyone. Just like your name and photo on a passport. Anyone can see it.

Private Key = your fingerprint: Known only to you. The unique proof that you are who you say you are. Cannot be faked or transferred.

The CA’s signature is what makes it all work.

Without a trusted authority vouching for your identity, anyone could create a fake certificate claiming to be your bank, your email provider, or anyone else.

Did this analogy helped you? Give me a like so I know it’s worth creating them!

Key Takeaways

If this all feels confusing, don’t worry, it will all start to make sense.

To fully understand this problem, make sure to understand the following topics:

👉 Certification Authorities: What is it and why do we need it?

👉 Digital Signatures Explained

👉 Symmetric vs Asymmetric Encryption

Once you understand these topics, the whole PKI process becomes clearer. And if it doesn’t, just comment under the post, and I will explain it better!

Did this article help you to understand the basics of the PKI process? Give it a like and help me to share it with more people interested in cybersecurity!

Conclusion

Congratulations! You now understand what PKI actually is and why it exists.

And more importantly, you understand the problem it solves - which is exactly the question the CISSP exam will ask you.

Next time, we will look at how this connects to the real world. Because PKI is only a general system, to really understand how it is used, one piece is still missing: the chain of trust.

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

Email: erich.winkler@decodedsecurity.com
LinkedIn: Erich Winkler
Gumroad community: Decoded Security
Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!