Wikipedia defines public key infrastructure (PKI) as
A set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking, and confidential email.
Should we break that down?
“facilitate the secure electronic transfer of information”
We also explained what a digital certificate is in the article “x509, keys, certs oh my”.
That leaves us with the functions:
Also, these needed features:
- a set of roles,
The combination of the above features, which provide the above-listed functions using a digital certificate with a public and private key pair, is what makes a PKI, or Public Key Infrastructure.
We’ll start with the functions of a PKI.
This is simple enough, a PKI system needs to generate a Certificate Authority and corresponding client(people/machine) certificates that comply with the x.509 standard.
It’s hard to know what’s referred to here. It’s most likely the term management is being used here to mean basic CRUD operations Create, Read, Update, Delete, this makes sense if you consider the requirement for the store function.
This is a nice to have. However, a distribution function is not an actual requirement for a working PKI system. The need addressed here is, once a certificate is created by CA, that certificate likely is needed to be used on a different computer. There are many ways to accomplish this depending on your intended destination. The PKI system may not have every distribution method available. However, if the PKI system has a few of the most common methods, that would be an excellent distinguishing characteristic to use for selection criteria.
This seems overly self-explanatory and straightforward. Not only does the PKI system need to be usable it needs to create digital certificates that are usable.
As mentioned the PKI system is used to create certificates, it has to not only store those certificates for distribution to another person/computer, it must also store relevant metadata about all the certificates the Certificate Authority has signed.
A feature of a Certificate Authority, which is a component of the overall PKI system. Sometimes certificates can be com compromised if this happens that certificate, and in effect, the keys that correspond with it are rendered invalid by the Certificate Authority. This invalidation, performed through a process called Certificate revocation, is a topic we plan to cover in more depth in a future article.
Next we will elaborate on the features roles, policies, and procedures.
We already mentioned the role the CA plays in creating a certificate and establishing trust between the two parties. Roles you may find in your administration are; “People who can ask for a cert” and also “People who can approve requests for Certificates” and maybe “people who make the PKI system work” these are different roles a good PKI system has, which results in a PKI system that can be managed effectively.
There are a lot of complex mathematical and cryptographic components that are used to create digital certificates. Over time these components are upgraded to remove bugs and improve performance. Policies in a PKI system define which version or level of these components that to use.
A PKI system is a complex system of moving components. As with the nature of all complex systems, there are specific procedures needed to be followed to produce the desired results. An excellent PKI system significantly reduces the complexity of these procedures, to avoid introducing risk to your company.