Public Key Infrastructure

Public Key Infrastructure

A Public Key Infrastructure (PKI) consists of hardware components, network infrastructure, network protocols, software, secure operating procedures and a legal framework. It enables users and devices to exchange data over unsecured channels such as the Internet with privacy and/or authentication. It also supports securing data at rest.

Its purpose is to issue and manage X.509 digital certificates, which are based on asymmetric (public/private) key cryptography. Each digital certificate contains information about a given person (name, email address, organization, city/state/country) or network device (fully qualified domain name, organization, city/state/country, called the Subject Distinguished Name. It also includes the public key associated with that subject. Certs also include several items supplied by the CA at signing time, including identification of the CA (Issuer Distinguished Name), a unique serial number, starting and ending dates for the validity period, key usage flags, CRL or OCSP access information for this certificate, etc.

The Certification Authority (CA), also known as a Trusted Third Party (TTP) deploys and operates a PKI. This may be an online facility that is accessed via the Web or other protocol (such as IRP) that provides service to the general public. It may also be deployed by a security group within an organization that provides service to employees and/or customers of that organization.

There are two basic architectures for a PKI:  organization-centric PKI and user-centric PKI.