Public Key Infrastructure (PKI) is one of the most important technologies in modern cybersecurity, yet most people have never heard of it. Every time you log into online banking, send a signed email, connect to a corporate VPN, or see the padlock icon in your browser, PKI is working behind the scenes to make that interaction secure.

PKI is the framework of technologies, policies, and procedures that manages the creation, distribution, and revocation of digital certificates. These certificates verify identities, encrypt data, and establish the trust that digital systems depend on to function. Without PKI, there would be no reliable way to confirm that the website you are visiting is genuine, that the software update you are installing has not been tampered with, or that the person sending you an encrypted message is who they claim to be.

This guide explains how PKI works, what it protects, why organisations need it, and what happens when it is poorly managed.

How PKI Works

At its core, PKI uses asymmetric cryptography — a system built on mathematically linked pairs of cryptographic keys. Each entity (a person, device, application, or server) is issued a key pair:

Public key — shared openly. Used by others to encrypt data sent to the key’s owner, or to verify a digital signature that the owner has created.

Private key — kept secret and never shared. Used by the owner to decrypt data encrypted with their public key, or to create digital signatures that prove their identity.

The security of the entire model relies on the mathematical relationship between these two keys. Data encrypted with a public key can only be decrypted with the corresponding private key, and vice versa. Even with access to the public key, deriving the private key is computationally infeasible with current technology.

When you visit a website secured with HTTPS, your browser performs a TLS handshake. During this process, the web server presents a digital certificate containing its public key. Your browser verifies that the certificate was issued by a trusted Certificate Authority, checks that it has not expired or been revoked, and then uses the public key to help establish an encrypted session. All of this happens in milliseconds, entirely invisibly.

The Core Components of PKI

PKI is not a single product or tool. It is an ecosystem of interconnected components that work together to create and maintain digital trust.

Certificate Authorities (CAs)

A Certificate Authority is the trusted entity that issues digital certificates. CAs verify the identity of the requesting party before issuing a certificate, acting as the foundation of the trust chain. Organisations may use public CAs (such as DigiCert, Sectigo, or Let’s Encrypt) for externally facing services, or operate private CAs (using platforms like Microsoft AD CS or EJBCA) for internal systems. Large enterprises often run both.

Registration Authorities (RAs)

Registration Authorities handle identity verification on behalf of the CA. They validate certificate requests, confirm the identity of the applicant, and pass approved requests to the CA for issuance. In many deployments, the RA function is integrated into the CA platform itself.

Digital Certificates

A digital certificate binds a public key to a verified identity. The most common standard is X.509, which contains the subject’s name, the public key, the issuing CA’s signature, a validity period, and information about permitted uses. Certificates act as digital passports — they prove that an entity is who it claims to be. For a deeper explanation, see our guide to digital certificates, SSL/TLS, and X.509.

Certificate Revocation

Certificates sometimes need to be invalidated before their natural expiry — for example, if a private key is compromised. PKI supports this through Certificate Revocation Lists (CRLs), which are published lists of revoked certificates, and the Online Certificate Status Protocol (OCSP), which provides real-time certificate status checks. Effective revocation mechanisms are critical; without them, compromised certificates could continue to be trusted.

Hardware Security Modules (HSMs)

In high-assurance environments, private keys are stored in hardware security modules — dedicated physical devices engineered to protect cryptographic material. HSMs ensure that private keys cannot be extracted, copied, or accessed by unauthorised parties, even by system administrators. They are standard practice in government, defence, and financial services PKI deployments.

How PKI Uses Encryption

PKI relies on two forms of encryption working together:

Asymmetric encryption uses the public/private key pair described above. It is computationally expensive, so it is typically used for short operations: exchanging session keys, creating digital signatures, and authenticating identities.

Symmetric encryption uses a single shared key for both encryption and decryption. It is fast and efficient, making it suitable for bulk data encryption. Algorithms like AES-256 are the standard here.

In practice, PKI combines both. During a TLS connection, asymmetric encryption is used to securely exchange a symmetric session key. That session key then encrypts the actual data flowing between the two parties. This hybrid approach delivers both the trust of asymmetric cryptography and the performance of symmetric encryption.

PKI and Digital Trust

Digital trust is the confidence that users, customers, and systems place in an organisation’s ability to protect data, verify identities, and deliver reliable services. PKI is the technical foundation that makes this possible.

Every time a digital certificate is presented and validated — whether by a browser checking a website, an application authenticating to an API, or a device proving its identity on a network — PKI is establishing trust between parties that may never have interacted before. This trust model scales from a single website to entire national identity schemes. Countries including Estonia, the Netherlands, and Spain issue citizens digital identity cards with embedded PKI certificates, enabling legally binding electronic signatures and secure access to government services.

For organisations, maintaining digital trust means ensuring that certificates are valid, keys are protected, and PKI infrastructure is properly governed. When this breaks down — through expired certificates, misconfigured CAs, or compromised keys — the consequences can range from service outages to full security breaches. For a deeper exploration of why this matters, read our article on the importance of digital trust.

Where PKI is Used

PKI is not confined to IT departments or server rooms. It is embedded across virtually every sector and touches almost every digital interaction. Here are some of the most common applications:

Web Security (HTTPS/TLS)

The padlock icon in your browser signals that the connection is encrypted and the server’s identity has been verified through a PKI-issued certificate. Without this, every online transaction — from shopping to banking — would be vulnerable to interception and impersonation.

Email Security (S/MIME)

PKI enables digitally signed and encrypted email. The sender’s private key signs the message to prove authenticity, and the recipient’s public key encrypts it so only they can read it. This is standard practice in government, legal, and financial communications.

Code Signing

Software publishers use PKI certificates to sign their code. When you install an application, your operating system checks this signature to confirm the software has not been modified since it was published and that it comes from a verified source.

Device Authentication and IoT

In transport, manufacturing, and critical infrastructure, PKI authenticates connected devices — from roadside sensors to aircraft systems — ensuring only trusted devices can communicate on the network. As IoT deployments scale, PKI becomes essential for maintaining device trust at volume.

Government and National Identity

PKI underpins digital identity programmes in central government, enabling secure citizen services, electronic document signing, and remote identity verification. In defence environments, PKI provides the cryptographic backbone for classified communications and secure access control.

Healthcare

PKI protects patient data under regulations like GDPR and HIPAA, authenticates medical devices, and secures the data flows between clinical systems. Our work in healthcare PKI addresses the specific challenges of this highly regulated sector.

Financial Services

Banks and financial services firms use PKI to secure transactions, authenticate customers, protect API communications between platforms, and meet regulatory requirements around data protection and access control.

For more real-world examples, see our article on everyday examples of PKI in action.

Why Organisations Need PKI

Organisations deploy PKI because it solves a fundamental problem: how do you establish trust between digital entities that may never have interacted before?

Without PKI, organisations face:

No identity verification — systems have no reliable way to confirm that users, devices, or applications are who they claim to be, leaving them open to impersonation and man-in-the-middle attacks.

No data integrity — there is no mechanism to detect whether data has been altered in transit, meaning intercepted communications could be modified without detection.

No encryption framework — without a trust model to exchange keys securely, encrypting data between parties becomes impractical at scale.

Regulatory non-compliance — regulations including GDPR, eIDAS, HIPAA, and PCI DSS either explicitly require or implicitly depend on PKI capabilities. Organisations without effective PKI face audit findings, fines, and reputational damage.

PKI also enables zero trust security strategies, where every access request is authenticated and authorised regardless of network location. In zero trust architectures, digital certificates replace passwords as the primary authentication mechanism, providing stronger security and eliminating entire categories of credential-based attacks.

The Challenges of Managing PKI

While PKI is essential, it is not straightforward to operate. Many organisations struggle with:

Scale and visibility — a typical enterprise may have tens of thousands of certificates issued across multiple CAs, cloud environments, and business units. Without centralised visibility, tracking these certificates is nearly impossible. A cryptographic bill of materials can help organisations map their full cryptographic estate.

Certificate expiry — expired certificates cause immediate, visible outages. The Microsoft Teams global outage in 2020, caused by a single expired authentication certificate, is one of the most widely cited examples. With industry moves toward shorter certificate lifetimes (potentially 90-day or even 47-day validity), the margin for error shrinks further.

Fragmented ownership — certificates are often managed by different teams across an organisation with no single point of accountability. Security, infrastructure, development, and operations teams may all issue and manage certificates independently, creating gaps in governance.

Legacy infrastructure — platforms like Active Directory Certificate Services have been the default for many organisations for years, but their limitations around cloud support, automation, and scalability are becoming increasingly problematic in modern environments.

These challenges are why certificate lifecycle management has become a critical discipline. CLM platforms automate the discovery, monitoring, renewal, and revocation of certificates across the entire estate, replacing manual spreadsheets and siloed processes with centralised, policy-driven management.

PKI and Post-Quantum Cryptography

The emergence of quantum computing presents a fundamental challenge to the cryptographic algorithms that PKI currently relies on. Algorithms like RSA and elliptic curve cryptography (ECC), which underpin the vast majority of today’s digital certificates, could be broken by a sufficiently powerful quantum computer running Shor’s algorithm.

While cryptographically relevant quantum computers do not yet exist, the threat is not theoretical. Nation-state adversaries are believed to be executing harvest now, decrypt later strategies — intercepting and storing encrypted data today with the intention of decrypting it once quantum capability becomes available.

NIST has already published post-quantum cryptography standards (FIPS 203, 204, and 205) and set a 2030 deadline for deprecating vulnerable algorithms. Organisations that depend on PKI need to start preparing now by assessing their cryptographic estate, building crypto agility into their architecture, and developing phased migration roadmaps. For more detail, see our guide to preparing your PKI for quantum computing.

Frequently Asked Questions About PKI

What does PKI stand for?

PKI stands for Public Key Infrastructure. It refers to the complete framework of technologies, policies, standards, and procedures used to manage digital certificates and cryptographic keys. The term covers everything from the Certificate Authorities that issue certificates to the governance processes that control how they are used.

What is a digital certificate?

A digital certificate is an electronic document that binds a public key to a verified identity. It is issued by a trusted Certificate Authority and contains the subject’s name, the public key, the CA’s digital signature, and a validity period. Certificates are used to authenticate websites, users, devices, and applications. The most widely used format is X.509. For a full explanation, see our guide to digital certificates, SSL/TLS, and X.509.

What is the difference between a public key and a private key?

A public key and a private key are a mathematically linked pair. The public key is shared openly and used by others to encrypt data or verify signatures. The private key is kept secret and used by its owner to decrypt data or create signatures. The security of PKI depends on the private key remaining confidential — if it is compromised, any certificate associated with it must be revoked immediately.

What is a Certificate Authority (CA)?

A Certificate Authority is the trusted entity responsible for issuing and managing digital certificates. Public CAs issue certificates for externally facing services like websites. Private or enterprise CAs issue certificates for internal systems, users, and devices. Most large organisations operate a hierarchy of CAs, with a Root CA at the top and one or more Issuing CAs beneath it.

Why do certificates expire?

Certificates are given limited validity periods as a security measure. Over time, the risk that a private key has been compromised increases, and cryptographic algorithms may weaken. Expiry forces regular renewal, which acts as a natural checkpoint for key rotation and policy compliance. Industry trends are moving toward shorter lifetimes — with proposals for 90-day and 47-day certificates — which makes automated certificate lifecycle management increasingly essential.

What happens when a certificate expires?

When a certificate expires, any system or service relying on it will typically fail. Websites become inaccessible, applications lose connectivity, encrypted communications break, and users see security warnings. The impact can range from minor inconvenience to major business disruption. Read more about the real cost of expired certificates.

What is the difference between PKI and SSL/TLS?

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are protocols that use PKI to establish encrypted connections. PKI is the broader infrastructure — the CAs, certificates, keys, and policies. TLS is one of the protocols that consumes PKI certificates to secure web traffic and other communications. Put simply, TLS is a use case for PKI, not a replacement for it.

What is the difference between symmetric and asymmetric encryption?

Symmetric encryption uses a single shared key for both encrypting and decrypting data. It is fast and efficient, suitable for bulk data. Asymmetric encryption uses a public/private key pair — what one key encrypts, only the other can decrypt. It is slower but solves the key distribution problem. PKI combines both: asymmetric encryption securely exchanges a symmetric session key, which then handles the actual data encryption. See our complete guide to encryption for organisations for more detail.

Do small organisations need PKI?

Yes. Any organisation with a website uses PKI (via HTTPS certificates). Beyond that, organisations of all sizes use digital certificates for email security, VPN access, Wi-Fi authentication, cloud service integration, and code signing. The difference is in scale and complexity — a small organisation may rely on public CA services, while a large enterprise operates its own CA hierarchy with tens of thousands of internally issued certificates.

What is a PKI health check?

A PKI health check is a structured assessment of an organisation’s existing PKI environment. It evaluates the architecture, certificate estate, governance processes, key management practices, and technical configuration to identify risks, compliance gaps, and improvement opportunities. It is typically the first step when an organisation wants to understand its current PKI posture or is planning a migration or modernisation programme.

What is certificate lifecycle management (CLM)?

Certificate lifecycle management is the practice of managing digital certificates from issuance through renewal, revocation, and retirement. Modern CLM platforms automate certificate discovery across hybrid environments, monitor expiry dates, enforce policies, and integrate with security tools. As certificate volumes grow and validity periods shorten, automated CLM is becoming essential for operational reliability.

How does PKI support zero trust?

Zero trust architectures require cryptographic proof of identity for every access request, regardless of network location. PKI provides this through digital certificates that authenticate users, devices, and services without relying on passwords or network perimeters. Certificate-based authentication is widely considered the strongest form of identity verification for zero trust. Read our detailed guide on the role of PKI in zero trust security.

Will quantum computing break PKI?

Quantum computing threatens the specific algorithms that PKI currently uses (primarily RSA and ECC), not the concept of PKI itself. Post-quantum cryptography standards have already been published, and PKI infrastructure will transition to these new algorithms over the coming years. The framework of certificates, CAs, and trust hierarchies will remain — only the underlying cryptographic algorithms will change. Organisations should be planning this transition now. See our guide on preparing your PKI for quantum computing.

What is a hardware security module (HSM)?

An HSM is a dedicated physical device designed to generate, store, and use cryptographic keys without ever exposing them. Even administrators cannot extract keys from a properly configured HSM. They are essential for protecting Root CA private keys, meeting regulatory requirements in government and financial services, and providing the highest level of assurance for cryptographic operations.

How do I know if my organisation’s PKI is properly managed?

Signs of poorly managed PKI include: unexpected certificate-related outages, lack of a complete certificate inventory, manual tracking via spreadsheets, certificates issued by unknown or ungoverned CAs, no defined certificate policy or practice statement, and difficulty answering audit questions about your cryptographic estate. If any of these apply, a PKI health check is the logical starting point. Our PKI consultancy team works with organisations across government, defence, and enterprise to assess, remediate, and modernise PKI environments.

How Unsung Supports Your PKI

At Unsung, PKI is all we do. We are a specialist PKI consultancy working across architecture, implementation, migration, and ongoing operations. Our consultants hold SC and DV security clearance, and we deliver across central government, defence, financial services, healthcare, and transport.

Our services include:

PKI health checks — comprehensive assessments of your existing PKI estate to identify risks, governance gaps, and optimisation opportunities.

PKI design and build — end-to-end architecture, technology selection, and implementation for new or replacement PKI environments.

Certificate lifecycle management — consultancy and technical delivery for automated certificate discovery, monitoring, renewal, and revocation.

PKI management and hosting — fully managed PKI operations including 24/7 monitoring, incident response, and compliance support.

Hardware security modules — design, deployment, and integration of HSMs to protect your most critical cryptographic material.

Whether you need to migrate from a legacy platform, prepare for post-quantum cryptography, or simply get control of a certificate estate that has grown beyond manual management, we can help. Talk to our PKI consultancy team to discuss your requirements.