PKIpublic key infrastructuredigital certificates

    What is PKI? A Plain-English Guide

    PKI explained: how digital certificates, certificate authorities, and public/private keys work together to secure modern enterprises.

    Schutz IT 15 October 2025 4 min read

    What is PKI? A Plain-English Guide

    Public Key Infrastructure (PKI) is the framework of policies, hardware, software, and procedures that issue, manage, distribute, and revoke digital certificates. If your organization runs websites, signs code, authenticates users, or encrypts email, you are already relying on PKI — whether you manage it directly or not.

    The Core Idea: Two Keys Instead of One

    Traditional shared-secret cryptography breaks down at scale: every pair of users needs a unique secret. PKI uses asymmetric cryptography — each identity holds a mathematically linked pair:

    • A public key anyone can see
    • A private key only the owner ever holds

    What one key encrypts, only the other can decrypt. That property powers both confidentiality (encrypt to my public key, only I can read it) and authenticity (I sign with my private key, anyone can verify with my public key).

    Why Certificates Exist

    Public keys alone don't prove identity. A digital certificate binds a public key to a subject (a person, server, or device) and is signed by a trusted Certificate Authority (CA). When your browser sees a certificate from schutzit.com, it checks the CA's signature against a built-in trust store. No trusted signature, no padlock.

    The Building Blocks of an Enterprise PKI

    1. Root CA — the offline anchor of trust. Stored in an HSM, used rarely.
    2. Issuing CAs — online subordinates that sign day-to-day certificates.
    3. Registration Authority (RA) — validates requests before signing.
    4. Certificate revocation — CRLs and OCSP so compromised certs can be rejected.
    5. Lifecycle automation — discovery, renewal, and rotation before expiry.

    Common Use Cases

    • TLS/SSL for websites and APIs
    • Mutual TLS (mTLS) between services
    • Code signing for software releases
    • Document and email signing (S/MIME)
    • Device identity for IoT and zero-trust networks
    • Smart-card and certificate-based user authentication

    Where Most PKI Programs Go Wrong

    • Expired certificates taking down production
    • Sprawling shadow CAs with no central inventory
    • Weak key protection outside of HSMs
    • No revocation strategy when a key is compromised
    • Manual renewal processes that don't scale past a few hundred certs

    A well-run PKI is invisible. A poorly-run one is the root cause of your next outage.

    Next Steps

    If you're inheriting a PKI you didn't build, or planning a new one, start with discovery: every cert, every CA, every expiry date. From there, decide what to automate and what to retire.

    Talk to Schutz IT about your PKI →

    Keep reading

    AiTM Phishing: Why Your MFA Is No Longer Enough

    Adversary-in-the-Middle (AiTM) attacks are bypassing traditional MFA at scale. Learn how these attacks work and why phishing-resistant MFA is essential.

    Read article →

    EU 2026 IVI Mandate: Digital Vehicle Certs

    Prepare for the EU's July 2026 mandate replacing the paper Certificate of Conformity (CoC) with Initial Vehicle Information (IVI) XML files secured by QSealC.

    Read article →