skip to log on skip to main content
VoiceOver users please use the tab key when navigating expanded menus

Guide to PKI

PKI (public key infrastructure) is a comprehensive system of policies, processes and technologies, which together control the creation, and management of digital certificates. Digital certificates are one of the key components, which enable an increased level of security for communications and transactions over the internet.

The digital certificate is one of the foundations of a public key infrastructure (PKI). A digital certificate is in many ways the electronic equivalent of a passport or driver's license, and maybe used to identify and authenticate someone making online transactions.

certification authority issues a digital certificate to a certificate holder on the request of a registration authority.

Details on a digital certificate include the certificate holder's name, their public key, the name of the certification authority and an indication of the certificate policy under which it was issued. Most digital certificates are in the format specified in the X.509 standard.

The public key and private key pair can be generated on a secure device. A certification authority creates the digital certificate, incorporating the public key and signs it, protecting the integrity of the information.

The public key in a digital certificate is linked to the private key. The certificate holder must hold the private key securely. The security of the private key is extremely important. In many applications a private key is stored by placing or creating the private key on a physical token such as a smart card.

Visit our FAQs for further details

When sending messages over the Internet, public key encryption may be used.

Public key encryption is the use of complex mathematical formulas to make data unreadable. Under public-key encryption, two different keys are used, one for encrypting the data and a second key to decrypt it.

Someone wanting to send a message would request the recipient's digital certificate, which contains the public key, from a trusted directory, and use the public key to encrypt the message before sending. Once the message is encrypted it can only be decrypted using the intended recipient's private key.

The sender can also digitally sign the message using their own private key to prove that the message originated from them. If the message has been digitally signed, the recipient would verify the sender by obtaining the sender's digital certificate from a trusted directory and using this to verify the sender's digital signature.

The effectiveness and reliability of the digital certificate is based on the confidence all parties to a transaction have in the structure, policies and procedures surrounding the PKI system.