what is public key infrastructure

What Is Public Key Infrastructure (PKI)?

Public Key Infrastructure (PKI) is a set of rules and services that make your digital identity verifiable on the internet. PKI binds a public identifier to a secret that only the entity can control, enabling browsers, applications, and users to establish trustworthy encrypted connections.

The core components of PKI are key pairs, digital certificates, and widely trusted authorities. A key pair functions like a “lock and key”: the public key is like a lock that anyone can see, while the private key is the key that only the owner keeps. A digital certificate acts as an official, stamped “ID card,” registering the association between a public key and a specific domain or organization. Trusted authorities are responsible for validating and issuing these certificates, ensuring others trust the legitimacy of these “ID cards.”

How Does PKI Build a Chain of Trust?

PKI establishes trust through a “chain of trust” that flows from a built-in root of trust down to intermediate authorities and finally to end-user certificates.

The highest level of trust is the “root certificate,” which is pre-installed in operating systems or browsers. Intermediate authorities use the root certificate’s authorization to issue “intermediate certificates.” Server or service certificates (the ones used by websites) are then signed by these intermediate certificates. When verifying, browsers check the path from “server certificate → intermediate certificate → root certificate,” validating signatures, expiration dates, and intended usage at each step.

If any link in this chain is revoked or not trusted, the chain breaks—browsers will warn users or block the connection. The benefit of a trust chain is modular management of “who can be trusted,” making auditing and replacement easier.

What Are Certificates in PKI?

In PKI, certificates are electronic “ID cards” that bind a public key to an identity. Each certificate contains information about its holder (such as domain or organization name), the public key, validity period, usage scope, and the issuer’s digital signature.

Certificates vary in verification strength: Domain Validation (DV) certificates only verify domain ownership—ideal for basic websites. Organization Validation (OV) certificates include business identity details—suitable for enterprises. Certificates have limited validity periods and must be renewed before expiration. They can also be revoked; revocation status is checked online or via downloadable lists to guard against compromised keys or incorrect issuance.

You can view a website’s certificate details by clicking the lock icon in your browser’s address bar, which displays the issuer, validity period, and domain match status. If details do not match or are expired, browsers will alert you to potential risks.

How Does PKI Work with TLS and HTTPS?

PKI underpins identity verification and key exchange in TLS and HTTPS protocols. During the handshake process, servers present their certificate; clients validate the certificate chain and domain name. Once trust is established, both sides negotiate session keys to encrypt subsequent communications.

When you visit websites starting with “https://”, your browser automatically verifies the server’s certificate. This prevents man-in-the-middle attacks and keeps your passwords or financial data safe from phishing sites. As of 2025, most major websites have adopted HTTPS, and browsers restrict sensitive information submission on insecure HTTP pages.

For example, when logging into Gate via web or app, all communications use HTTPS with server certificates issued by trusted authorities. Your device validates both the certificate chain and domain name (“Gate.com”); only after passing validation is an encrypted connection established, significantly reducing phishing risks. When developers use Gate’s API, SDKs and tools also connect via HTTPS to protect API keys and trading commands from interception or tampering.

How to Apply for and Manage Certificates in PKI?

Managing certificates within PKI involves several key steps:

1. Generate a key pair. Use server or development machine tools to create a public key and private key. Safeguard your private key—ideally storing it on dedicated hardware or encrypted devices.
2. Prepare a certificate signing request (CSR). This file includes your public key and domain details—much like packaging application materials for an ID card.
3. Submit to a trusted authority. Provide the CSR to a certificate authority (CA) for domain or organization validation. Upon approval, the CA issues your certificate.
4. Install and configure. Deploy both the issued certificate and any intermediate certificates on your server; enable HTTPS and verify domain matching along with a complete certificate chain to avoid browser errors.
5. Automate renewal and monitoring. Set up expiry reminders or automated renewal tools; monitor certificate validity and revocation status to prevent service disruptions.
6. Private key security. Restrict private key access, rotate keys regularly, and if compromised, immediately revoke old certificates and reissue new ones.

What Is the Role of PKI in Web3?

In Web3 ecosystems, PKI primarily secures access points and distribution channels, working alongside on-chain signatures for end-to-end trust.

First, node and gateway connections require security. When accessing blockchain node RPC endpoints, HTTPS ensures you are connecting to legitimate services—preventing transaction broadcasts to rogue nodes.

Second, wallet and application distribution needs reliability. Code signing with certificates lets operating systems verify that software packages genuinely originate from their developers, reducing malware risk. When users download desktop wallets or browser extensions, the system checks certificate validity before installation.

Third, auditability and transparency matter. Certificate Transparency logs record each new certificate in a publicly auditable ledger—akin to public blockchains—making it easier for communities and security tools to spot anomalous certificates quickly.

How Does PKI Differ from Decentralized Identity (DID)?

PKI and Decentralized Identity (DID) address digital identity from different angles but can complement each other. PKI relies on broadly recognized authorities and system-level trust anchors to establish online identities for domains or organizations; DID shifts control towards individuals, allowing them to prove “I am who I say I am” using cryptographic keys—without requiring traditional institutional endorsement.

PKI suits scenarios needing broad compatibility such as website access or software distribution; DID fits on-chain interactions, verifiable credentials, and decentralized applications (dApps). Many solutions combine both: using PKI to secure network connections and distribution channels, while DID manages user identities and permissions within applications.

What Are the Risks When Using PKI?

PKI is not foolproof—users should be aware of several risks and mitigation strategies:

1. Authority compromise or validation errors: If a CA issues fraudulent certificates due to breach or oversight, attackers may temporarily appear “trusted.” Certificate Transparency logs and monitoring services help detect anomalies for prompt revocation.
2. Phishing via similar domain names: Even with encrypted connections, spoofed domains can deceive users. Always double-check domain names and certificate details before entering sensitive information.
3. Private key leakage or certificate expiry: Service providers must strengthen private key storage, implement expiry reminders, and automate renewals. Users should pause sensitive actions when encountering certificate warnings until verification.
4. Mixed content and misconfigurations: Loading resources over insecure channels undermines overall site security. Ensure all resources use HTTPS with correctly deployed full certificate chains.

Key Takeaways on Public Key Infrastructure

PKI leverages keys, certificates, and trusted authorities to make digital identities verifiable—forming the backbone of HTTPS, code signing, and related security technologies. Trust propagates through certificate chains; revocation and transparency mechanisms help detect and block threats early. In Web3, PKI protects connections and software distribution channels while DID safeguards user-sovereign identities; the two are often combined for holistic security. Prioritize private key security, domain verification, and lifecycle management of certificates to minimize phishing risks and configuration errors.

FAQ

What should I do if my PKI certificate expires?

An expired certificate is no longer valid—browsers or applications will refuse to trust your website. You must renew or reissue your certificate through your Certificate Authority (CA) before installing it on your server again. It’s best practice to begin renewal preparations at least 30 days before expiration to avoid service interruptions.

Do regular users need to understand PKI?

Regular users do not need deep technical knowledge of PKI but understanding basic concepts is helpful. When you see a green lock icon in your browser’s address bar, it means PKI is securing your data; if you see a warning instead, it means there is a problem with the website’s certificate—avoid entering sensitive information in this case. Simply put, PKI makes the internet safer.

Why do some websites work without HTTPS?

Technically, websites can function without HTTPS, but data transmitted is unencrypted and susceptible to interception by attackers. Modern browsers display “not secure” warnings for HTTP-only sites. It is recommended only to browse non-sensitive information on HTTP sites; always choose HTTPS sites for accounts, passwords, payments, or other sensitive operations.

What’s the difference between self-signed certificates and CA-issued certificates?

Self-signed certificates are generated by website owners themselves without third-party CA verification—they are low-cost but not trusted by browsers, which display risk warnings upon access. CA-issued certificates are validated by third-party authorities; browsers trust them and show security indicators. Self-signed certificates may be suitable for personal testing but official services should always use CA-issued certificates.

Can lost keys recover encrypted data in PKI?

No. The private key is the cornerstone of PKI security; once lost, encrypted data cannot be recovered—even the CA cannot help retrieve it. Therefore, safeguarding your private key is critical: keep secure backups, never share it with anyone else, and regularly check access permissions.