Back to overview

Public key infrastructure (PKI): An overview

Reading time approx. 4 minutes

Public key infrastructure (PKI) is an essential element of the digital security architecture. It uses asymmetric cryptography and aims to guarantee the confidentiality, integrity and authenticity of digital information. Its use cases in digital communication are diverse.


PKI is based on the principle of asymmetric encryption, in which a digital key pair is used - A public key, which is accessible to everyone, and a private key, which is only known to the key owner and is kept secret. PKI therefore enables secure communication, as information is encrypted with the public key and can only be decrypted with the corresponding private key.

The authenticity of the public key is confirmed by a signed digital certificate.

Important components

Public key cryptography

The centrepiece of PKI is asymmetric encryption, which is based on a key pair. The public keys are used to encrypt data, while the private keys are used for decryption. This principle ensures secure communication between the parties.

Certificate authorities

Certificate authorities (CAs) are trusted entities that issue digital certificates. These certificates link the public key with the identity of a user or an organisation.

Registration authorities

Registration (RAs) are responsible for verifying identity information before a digital certificate is issued. This verification ensures that the correct public key is associated with the intended identity.

Certificate revocation list

A certificate revocation list (CRL) is a list of certificates that have been declared invalid before their specified validity period has expired. The purpose of a CRL is to ensure that certificates that are no longer considered trustworthy for various reasons are no longer used for authentication or encryption.

Possible reasons for including a certificate in a CRL:

  • Private key compromise: If the private key associated with the certificate has been compromised, the certificate will be added to the CRL. This prevents it from continuing to be used for security-critical operations.
  • Loss of the private key: If the private key is irretrievably lost, the certificate can also be placed on the CRL.
  • Termination of validity: If there is a premature reason to declare the certificate invalid, e.g. if a user leaves the company or if the certificate is no longer required for other operational reasons.
  • Suspicion of forgery: If there is a suspicion that the certificate has been forged or is otherwise insecure.

Directory service

A directory service in the context of the PKI is a searchable directory that enables the management, storage and retrieval of digital certificates and associated information. The lightweight directory access protocol (LDAP) is usually used to access it.

Validation authority

A validation service (VA) checks the validity of digital certificates. By comparing with certificate revocation lists (CRLs) or using the online certificate status protocol (OCSP), the service ensures that a certificate has not been revoked. This validation is crucial to ensure the security of communication and transactions.

Trust models

The trust between the verifier and the issuer of a certificate and the process by which this trust is established form the essential basis for the use of digital certificates.

Hierarchical trust model

In the hierarchical trust model, CAs are organised in a hierarchy. A superordinate CA issues a certificate for a subordinate CA. Trust is based on the reliability of the highest CA (root CA), which is trusted by all participating parties.


Here, two certification authorities (usually root authorities) issue a (cross-) certificate to each other. Cross-certificates express the trust of two equal parties. Cross-certifications are used to enable the use of certificates across the boundaries of different hierarchical PKIs.

Web of trust

There is no central authority in the Web of Trust (WOT). Trust is built through personal checks and confirmations between users. This model offers more flexibility, but requires a higher degree of user interaction.

Use cases of PKI

Secure communication

PKI plays a crucial role in establishing secure communication channels, especially in the form of HTTPS, to ensure the confidentiality and integrity of data transmissions.

Digital signatures

The ability to create digital signatures is an important use case. These signatures are used to authenticate and verify the integrity of electronic documents.

Authentication and access control

In networks and systems, PKI enables secure user authentication and effective access control, preventing unauthorised access.

E-mail security

The encryption of e-mails and the signing of messages are further important applications of PKI. This ensures the confidentiality of e-mail communication and protects against phishing attacks.

Electronic Identities

PKI offers the possibility of providing secure digital identities. These are used in various applications, from online transactions to official processes.


Public key infrastructure is an indispensable component of digital security and plays a key role in securing digital communication. It enables secure transmissions through encryption, authentication of users and devices through digital certificates and ensures the integrity of data. It is used for email security, secure transactions, access control and the prevention of identity theft. As a basic security infrastructure, PKI is indispensable for protecting sensitive information in the networked world, and it creates trust in digital communication and transactions.