Status: Scaffold — content in progress
Public Key Infrastructure (PKI) is the system of CAs, certificates, policies, and procedures that enables trusted digital identity based on asymmetric cryptography.
Core Components
| Component | Role |
|---|
| Root CA | Trust anchor — its certificate is in OS/browser trust stores |
| Intermediate/Issuing CA | Issues end-entity certificates; signs with Root CA key |
| Certificate | Binds a public key to an identity; signed by CA |
| CRL / OCSP | Revocation — lists certificates that should no longer be trusted |
| Key Pair | Private key (secret, held by entity) + Public key (in certificate) |
Certificate Fields (X.509)
| Field | Description |
|---|
| Subject | Identity the certificate represents |
| Issuer | CA that signed it |
| SAN (Subject Alternative Name) | DNS names, emails, UPNs, IPs |
| EKU (Extended Key Usage) | What the cert can be used for: TLS, client auth, code signing |
| Validity Period | Not Before / Not After |
| Public Key | The public key being certified |
| Signature | CA's signature over certificate content |
Enterprise PKI Roles
- Microsoft ADCS: internal PKI for Windows environments (machine certs, user certs, smart card logon)
- Certificate-based auth: Kerberos PKINIT (smartcard/cert → TGT without password)
Cross-Links