What is a PKI (Public Key Infrastructure)?

A PKI (Public Key Infrastructure) is the set of roles, policies, hardware, software, and procedures needed to create, manage, distribute, store, and revoke digital certificates. It enables trusted identity verification and encrypted communication at scale. Components: Certificate Authority (CA): the trusted issuer of digital certificates. Root CA: the ultimate trust anchor (self-signed, kept offline in air-gapped HSMs). Intermediate CA: issues end-entity certificates; if compromised, only its certificates are revoked, not the root. Registration Authority (RA): verifies identity before CA issues certificates. Certificate Repository: CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol) for checking revoked certificates. X.509: the standard certificate format. PKI underpins HTTPS, S/MIME email encryption, code signing, VPN authentication, and smart card authentication. Corporate PKI enables internal certificate management without public CA costs. CA compromise (DigiNotar 2011) demonstrates the critical nature of CA security.