You can’t talk about data security and secure communication on the Internet without mentioning Public Key Infrastructure (PKI). These three letters describe a network of various participating agencies – in other words, an infrastructure. It manages keys, confirms digital identities, and encrypts data.
We explain here how it all works and what you need to consider in PKI management. You will also learn how to easily adapt yours to your company’s IT security needs with essendi xc.
Content:
What does PKI stand for (PKI meaning)?
What are the components?
How does a PKI work?
What is it used for?
Who has a PKI?
What is a certificate chain?
What are code signing certificates?
What is the difference between Web Of Trust and PKI?
Why is essendi xc a valuable PKI tool?
What does PKI stand for (PKI meaning)?
The letters stand for Public Key Infrastructure. It is a system of technologies, policies, and procedures that ensures secure digital communication. It does this by using cryptographic keys and certificates like x.509 certificates and SSL/TLS certificates.
So what is PKI in cyber security? It establishes trust. It ensures authentication, data integrity, and encryption, making it a fundamental component of cybersecurity in modern IT environments.
What are the components?
A public key infrastructure comprises the following components
Public and private keys
Mostly asymmetric cryptographic keys are used. The public key cryptography method (PKI cryptography) ensures secure data encryption. Only the matching second key in a pair can decrypt data encrypted with the first key. The system always generates public and private keys as a mathematically linked pair.
In asymmetric cryptography, data encrypted with one key can only be decrypted with its corresponding pair key. For this purpose, the system distinguishes between a public and a private key. The public key is freely accessible to everyone in the network. Only the owner knows the private key and does not share it.
Digital Certificates
Certificates are used in digital communication for authentication (PKI authentication), encryption and as signatures. They consist of various pieces of information. This includes, among other things
- the expiry date of the PKI certificate (PKI cert),
- the digital signature of the issuing certificate authority (CA) and
- the public key of the certificate owner.
Certificate Revocation List (CRL)
The certificate revocation list records all invalid certificates, whether they are corrupted or have changed permissions. This ensures the integrity of a secure web.
Validation services (Validation Authority)
A validation service (PKI based authentication via OCSP / CT Logs) checks the validity of digital certificates. It queries the validity of a certificate from the certificate authority by checking the certificate revocation lists, for example. essendi xc also has a validation service, the CT Log Monitor, which helps in detecting revoked certificates.
Registration Authority (RA)
The registration authority works closely with the certificate authorities (CAs). It identifies and registers the applicant. It verifies the accuracy of the data in the certificate request and then sends it to the Certificate Authority.
Certificate Authority (CA)
The certificate authority is the public trust anchor of the PK Infrastructure. It receives the certificate request and issues the requested digital certificate. In doing so, it confirms that the certificate holder is who they claim to be (verifying the identity). It monitors the validity of the certificates it issues and places all invalid certificates on the certificate revocation list.
How does a PKI work?
The functionality of a PKI-based system is similar to the application for an identity card:
The IT administrator of a company first generates the certificate signing request (CSR) and a cryptographic PKI key pair. He forwards the CSR and the public key to the registration authority. This is similar to applying for an ID card, where you submit a form and a passport photo to the registration office..
The registration authority checks the CSR and the key. After successful verification, it forwards both to the certification authority (U.S. Government Publishing Office GPO). This in turn then issues the certificate (the ID card) and sends it back to the client.
The IT administrator installs the certificate and the private key in the company’s corporate PKI infrastructure. Now the company can identify itself when exchanging information over the Internet and encrypt its data traffic.
What is it used for
The PK Infrastructure uses asymmetric cryptography for encrypting and decrypting. The system encrypts the data with the public key before sending it. The recipient can only decrypt it with the private key.
This mechanism secures communication between IoT devices, web servers, and applications, ensuring trusted certificates for all transactions. Various industries, from banking to aviation, use it to protect sensitive information. For example
- SSL/TLS certificates protect web communications by establishing trust between web browsers and web servers.
- PKI-based login ensures that employees can securely access corporate networks.
- Smartwatches, medical devices, and industrial production facilities (OT devices) use PKI authentication.
- Smart cards also transmit their data securely via a PKI (PKI secured). Smart cards are, for example, used as key cards for access control and time recording in companies.
- E-mail PKI encryption is of particular importance. 80% of all hacker attacks occur via e-mail. Therefore, the most effective method is to send emails encrypted.
Who has a PKI?
Everyone working with PKI-based authentication (PKI auth), encryption methods and certificates needs the appropriate Infrastructure. This can be
- Corporate PKI (sometimes called private key infrastructure) for internal certificate management
- Internal PKI for restricted-access environments
- PKI software solutions like essendi xc for automated PKI certificate management
You can set it up yourself using Microsoft Public Key Infrastructure or choose a PKI service provider instead. The provider, for example SwissSign, provides connection options to a pre-configured Managed Public Key Infrastructure (MPKI).
What is a certificate chain?
A certificate chain is the list of all certificates used to confirm a digital identity. The certificate chain always ends at the root certificate issued by the root certification authority (root CA). The root CA is the public trust anchor for all parties participating in a certificate process.
A certificate chain consists of the following components
Root certificate
Root certificates belong to the root CAs and are strictly monitored by them. The certification authority itself always signs the root certificate, making it the root of the trust tree.
Intermediate certificate
In a certificate chain there is at least one intermediate certificate, but often several. They are the branches of the trust tree. They are the links between the root certificates and the server certificates.
Server certificate
The server certificate is issued specifically for the domain that the user wants to secure.
The chain is only trustworthy if you can trace it back without gaps to its origin – the root. This means that you must check and confirm the signatures of all certificates in the chain up to the root certificate. Many operating systems and browsers already store the root certificates of major root CAs. This makes it easier and faster to trace the certificate chains later.
Errors in the certificate chain therefore lead to problems. A certification path is faulty, for example, when
- no root certificate is included
- the private key is not at the end of the list
- the order of the certificates is not correct
- incorrect or too many certificates are included
- certificates are missing.
What are code signing certificates?
A code signing certificate proves the identity of software developers. It ensures that the software remains unchanged from the time of signin.
Certification authorities issue code signing certificates, which are essential for software distribution and PKI cybersecurity.
What is the difference between Web Of Trust and PKI?
The Web of Trust (“network of trust”) is an opposite trust model to the PKI. The latter follows a hierarchical structure, with the CA serving as the central trust anchor. All other instances participating in the PKI trust this root CA. Protecting the root CA and keeping its private key secret is essential for a PKI.
In WOT, on the other hand, all participants jointly confirm the authenticity of digital certificates and cryptographic keys. The more participants confirm (sign) a certificate, the more trustworthy it is. In the Web of Trust, many different participants act as trust centers. They thus replace the CA of the hierarchical PKI model.
PKI encryption is common in corporate environments, while WOT is more popular in smaller, decentralized networks.
Why is essendi xc a valuable PKI tool?
A PKI provides a security solution that adapts reliably to a company’s specific needs. It must be able to map increasingly complex IT landscapes. That is why the human factor also plays a major role here.
A PKI solution must be properly configured to prevent vulnerabilities. This needs some consideration and a wide range of expertise.
With certificate management tools such as the key management software essendi xc organizations can manage certificate lifecycles efficiently. It creates cryptographic keys according to company specifications in the required key length. In doing so, it observes regulatory requirements such as ISO/IEC 27001, BSI Grundschutz or NIST. This avoids user errors.
xc warns in good time before certificates expire. Depending on the settings, it can automatically renew or extend certificates and install them in the target system.
In conjunction with the CT-Log Monitor, it detects forged certificates. If necessary, it can automatically revoke and revoke them. Manual setup configurations often require significant time and come with hidden risks. In contrast, essendi xc offers flexibility from the start.
This allows it to adapt quickly, easily, and securely to changing requirements.
Curious about essendi xc? Schedule a live demo here.
