{"id":12526,"date":"2020-07-14T10:04:14","date_gmt":"2020-07-14T14:04:14","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=12526"},"modified":"2024-05-01T13:43:05","modified_gmt":"2024-05-01T17:43:05","slug":"how-pki-works","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/how-pki-works\/","title":{"rendered":"Your Guide to How PKI Works &#038; Secures Your Organization"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-public-key-infrastructure-is-a-key-part-of-your-everyday-life-in-the-cyber-world-it-secures-everything-from-the-login-credentials-in-your-browser-to-the-sensitive-data-you-share-via-email-here-s-a-breakdown-of-how-pki-works\">Public key infrastructure is a key part of your everyday life in the cyber world. It secures everything from the login credentials in your browser to the sensitive data you share via email \u2014 here\u2019s a breakdown of how PKI works<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Public key infrastructure is intrinsic to cyber security. It\u2019s the crust to your pie and the wind to your sail; basically, PKI is one of the things that <em>makes cyber security work<\/em>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Public key infrastructure, or PKI, is often talked about as a type of cyber security technology or framework \u2014 but it\u2019s more than that. You likely know that the term relates to encryption, but do you actually know what it does or how PKI works?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We\u2019re here to answer those burning questions relating to how public key infrastructure works. In the process, we\u2019ll break down the components of the public key infrastructure and <a href=\"https:\/\/www.thesslstore.com\/blog\/pki-uses-applications-examples\/\">how you might already be using PKI<\/a> each day to protect your business and customers.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-before-we-can-answer-how-does-pki-work-let-s-first-break-down-what-it-is\">Before We Can Answer \u201cHow Does PKI Work?\u201d Let\u2019s First Break Down What It Is\u2026<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Before jumping into the nitty-gritty details of how public key infrastructure works, let\u2019s first cover what PKI is to ensure we\u2019re all on the same page.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In a nutshell, <strong><a href=\"https:\/\/www.venafi.com\/education-center\/pki\/how-does-pki-work\" target=\"_blank\" rel=\"noreferrer noopener\">public key infrastructure<\/a> is a system (based on encryption key pairs and digital certificates) that\u2019s used for securing communications between different computer systems.<\/strong> It\u2019s also a system that helps your organization remain compliant with regulatory data security and privacy requirements and avoid penalties, fines, and reputational loss.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There are two things PKI does to secure communications:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Authentication<\/strong> \u2014 This ensures that the other party is the legitimate server\/individual that you\u2019re trying to communicate with.<\/li>\n\n\n\n<li><strong>Encryption<\/strong> \u2014 This makes sure that no other parties can read your communications.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">To better understand how PKI works, we first need to make this whole process all a more understandable. So, let\u2019s consider the SSL certificate that this website is using as an example. See the padlock icon in your browser? That means this website is using an SSL certificate, which is based on PKI. SSL uses PKI to do two things:<\/p>\n\n\n\n<ol class=\"wp-block-list\" style=\"list-style-type:1\">\n<li>Your browser authenticates that it\u2019s connected to the correct server that\u2019s owned by thesslstore.com.<\/li>\n\n\n\n<li>All of the data that passes between your browser and our web server is encrypted.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">In a more technical sense, <a href=\"https:\/\/csrc.nist.gov\/Topics\/Security-and-Privacy\/identity-and-access-management\/PKI\" target=\"_blank\" rel=\"noreferrer noopener\">PKI<\/a> is a combination of cryptographic technologies, policies and procedures that you use to secure data in the digital world and to authenticate yourself. The term also relates to the issuance, use, storage, distribution, management, and revocation of digital certificates and keys \u2014 also known as the certificate lifecycle \u2014 as well as the entities that issue them.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In a roundabout way, what all of this means is that <strong>public key encryption is a two-key (asymmetric) cryptosystem that protects everything you do and the information you send and receive online.<\/strong> From the ecommerce transactions on your website to the emails that you send within your organization that contain sensitive information, the data is secure thanks to PKI<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The <a href=\"https:\/\/searchsecurity.techtarget.com\/definition\/PKI\" target=\"_blank\" rel=\"noreferrer noopener\">main function of PKI<\/a> is to distribute public keys to the right devices, software, and users who need them. <strong>This means that<\/strong> <strong>PKI is all about ensuring that your sensitive data doesn\u2019t fall into the wrong hands.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-the-nitty-gritty-the-6-key-components-of-pki\">The Nitty-Gritty: The 6 Key Components of PKI<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">To better understand how PKI works, you first need to know what&#8217;s involved in it. Of course, there are several critical components within the public key infrastructure \u2014 and we\u2019ll dive into each of these topics more in depth a little later in the article:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>X.509 digital certificates<\/strong> \u2014 These types of certificates include a key, information about the identity of the owner (of the certificate and keys), and the digital signature of the certificate authority.&nbsp;These types of certificates include:\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-website-security-certificate-and-what-does-it-do-for-your-business\/#:~:text=Essentially%2C%20a%20website%20security%20certificate,secured%20using%20an%20encrypted%20connection.\">SSL\/TLS website security certificates<\/a>,<\/li>\n\n\n\n<li>S\/MIME (client authentication) certificates,<\/li>\n\n\n\n<li>Code signing certificates, and<\/li>\n\n\n\n<li>Document signing certificates.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-digital-signature\/\">Digital signatures<\/a><\/strong> \u2014 Digital signatures are what guarantees that a message, file, or data hasn\u2019t been altered in any way. It uses an encrypted hash of a message to ensure the integrity of your data by making it so that nobody can modify the message without the recipient finding out.<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/www.thesslstore.com\/blog\/how-public-private-key-pairs-work-in-cryptography-5-common-examples\/\">Public and private key pairs<\/a> (asymmetric and symmetric)<\/strong> \u2014 PKI works because of the key pairs that encrypt and decrypt data. In asymmetric encryption, there\u2019s a public key that\u2019s shared with everyone and a matching private key that\u2019s kept secret. In symmetric encryption, there is one key that both parties use to communicate.<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-certificate-authority-ca-and-what-do-they-do\/\">Certificate authorities<\/a> (CAs)<\/strong> \u2014 Certificate authorities are what make the whole PKI system trustworthy. CAs verify parties and issue certificates. Without CAs, PKI simply wouldn\u2019t work because anybody could just issue certificates to themselves saying that they\u2019re Amazon.com, Bill Gates, or whomever they feel like impersonating.<\/li>\n\n\n\n<li><a href=\"https:\/\/www.thesslstore.com\/knowledgebase\/ssl-support\/explaining-the-chain-of-trust\/\"><strong>Chain of trust<\/strong><\/a> \u2014 The chain of trust is a series of certificates (root, intermediate, and leaf certificates) that links back to the issuing CA who signed off on it.<\/li>\n\n\n\n<li><strong>Proper <a href=\"https:\/\/www.thesslstore.com\/solutions\/certificate-management.aspx\">certificate management tools<\/a>, policies, processes, and procedures<\/strong> \u2014 This includes the use of a certificate management tools such as a certificate manager.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"869\" height=\"758\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-works-overview.png\" alt=\"A graphic illustration of how PKI works\" class=\"wp-image-12527 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-works-overview.png 869w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-works-overview-300x262.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-works-overview-768x670.png 768w\" sizes=\"auto, (max-width: 869px) 100vw, 869px\" \/><figcaption>Here&#8217;s an overview illustration of how public key infrastructure works.<\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">If you want more information about <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-pki-a-crash-course-on-public-key-infrastructure-pki\/\">what PKI is<\/a>, I\u2019d suggest you check out the articles my colleagues wrote about it and how it <a href=\"https:\/\/www.thesslstore.com\/blog\/wide-world-pki\/\">facilitates trusted, secure communication<\/a>. They\u2019ve already done a great job of it, and I\u2019m not trying to reinvent the wheel here.<\/p>\n\n\n<span style=\"--tl-form-height-m:861.156px;--tl-form-height-t:899.625px;--tl-form-height-d:899.625px;\" class=\"tl-placeholder-f-type-shortcode_12653 tl-preload-form\"><span><\/span><\/span>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-does-public-key-infrastructure-work\">How Does Public Key Infrastructure Work?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Okay, so now that you know what PKI is and how it relates to public key cryptography, it\u2019s time to talk about what it does and how it does it. There are a few key things to know about how PKI works:<\/p>\n\n\n\n<ol class=\"wp-block-list\" style=\"list-style-type:1\">\n<li><strong>PKI authenticates you and your server.<\/strong> It allows your site users\u2019 web browsers to authenticate your server before connecting with it (so they can verify that they\u2019re connecting to a legitimate server). You can also use client certificates to limit access to authenticated users. This gives you greater control over your network and other IT systems.<\/li>\n\n\n\n<li><strong>PKI facilitates encryption and decryption.<\/strong> PKI enables you to use digital certificates and public encryption key pairs to encrypt and decrypt data or the transmission channels you use to send it using the secure SSL\/TLS protocol.<\/li>\n\n\n\n<li><strong>PKI ensures the integrity of your data.<\/strong> PKI lets users, their browsers or their devices know whether the data you send has been tampered with.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Of course, doing any of these things requires the use of public encryption keys that have <a href=\"https:\/\/www.thesslstore.com\/blog\/why-all-the-fuss-about-64-bit-serial-numbers\/\">strong entropy<\/a>. Every key is a randomly generated string of binary numbers \u2014 a random series of 1s and 0s \u2014 that\u2019s used to determine how plaintext transforms into ciphertext. So, when we talk about entropy, what we mean is that the keys are generated with enough randomness that it would take thousands \u2014 if not millions \u2014 of years for even modern supercomputers to guess.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-pki-works-by-authenticating-users-and-servers\">PKI Works By Authenticating Users and Servers<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The first part of the PKI process is authentication. Through the use of digital certificates (such as client certificates and SSL\/TLS certificates), you can authenticate yourself, your client, or your server using asymmetric encryption. (Again, asymmetric encryption is that two-key pair of public and private keys.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s consider a simple step-by-step explanation of how authentication works using the following scenario of someone connecting to Amazon.com:<\/p>\n\n\n\n<ol class=\"wp-block-list\" style=\"list-style-type:1\">\n<li>The web client (for example) connects to the Amazon.com web server to get the server\u2019s certificate and public key.<\/li>\n\n\n\n<li>The client then uses its store of trusted root certificates and the chain of trust to verify whether that site\u2019s certificate was issued by a trusted CA. (Note: The chain of trust is based on digital signatures, which can\u2019t be faked. So, if the trust chain checks out, then your browser can be confident that it\u2019s communicating with the correct server.)<\/li>\n\n\n\n<li>The client then encrypts a piece of data using the certificate\u2019s public key and sends it to the server. If the server can read it, then it proves that the server has the correct private key and that it\u2019s connecting to the right server.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">To facilitate this this process (and to create a secure, encrypted connection eventually), the user\u2019s web client and your server begin what\u2019s known as an <a href=\"https:\/\/www.thesslstore.com\/blog\/explaining-ssl-handshake\/\">SSL or TLS handshake<\/a>. This process, which mitigates the risk of man-in-the-middle (MitM) attacks and eavesdropping, allows the client to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Determine which encryption parameters they can both use,<\/li>\n\n\n\n<li>Authenticate the server (as mentioned above), and<\/li>\n\n\n\n<li>Generate a unique session key that both parties can use to exchange encrypted information.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"897\" height=\"1024\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/01\/SSL_Handshake_10-Steps-1-897x1024.png\" alt=\"TLS 1.2 Handshake; TLS 1.3 handshake\" class=\"wp-image-3366 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/01\/SSL_Handshake_10-Steps-1-897x1024.png 897w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/01\/SSL_Handshake_10-Steps-1-263x300.png 263w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/01\/SSL_Handshake_10-Steps-1-768x876.png 768w\" sizes=\"auto, (max-width: 897px) 100vw, 897px\" \/><figcaption>How PKI works: An illustration of the TLS 1.2 handshake.<\/figcaption><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"374\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/03\/TLS_1_3_Handshake.jpg\" alt=\"Graphic of the TLS 1.3 Handshake\" class=\"wp-image-6088 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/03\/TLS_1_3_Handshake.jpg 1000w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/03\/TLS_1_3_Handshake-300x112.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/03\/TLS_1_3_Handshake-768x287.jpg 768w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><figcaption>How PKI works: An illustration of the TLS 1.3 handshake, which has fewer roundtrips than its TLS 1.2 predecessor.<\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">But what if the server wants to authenticate you as the user? That\u2019s possible, too. In that case, you\u2019ll need a certificate (a client certificate, or what\u2019s known as an email signing certificate) that\u2019s issued by a CA the server trusts. A similar process happens (but in reverse) with the server checking your digital certificate before allowing you to access the applications or content on the server.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-pki-works-by-encrypting-data-or-the-connections-that-your-data-transmits-through\">PKI Works by Encrypting Data (or the Connections That Your Data Transmits Through)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The way that public key infrastructure works is that it uses asymmetric, mathematically related keys to encrypt and decrypt data. Basically, we\u2019re talking about taking a message that you can read (plaintext) and scrambling it into an undecipherable format (ciphertext). Then it needs to be unscrambled, or deciphered, when it reaches the other party.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-how-encryption-works\">How Encryption Works<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">An easy-to-understand encryption is an old-fashioned shift cipher (substitution cipher), or what\u2019s more commonly known as the Caesar cipher.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In this type of encryption, plaintext letters \u201cshift\u201d a set number of spaces depending on the secret key. For example, the word \u201cCERTIFICATE\u201d becomes the ciphertext \u201cIKXZOLOIGZK\u201d if your key is \u201c6\u201d because you\u2019ve shifted each letter six spaces.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"983\" height=\"463\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/caesar-cipher-shift.png\" alt=\"Shift cipher or Caesar cipher example graphic\" class=\"wp-image-12528 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/caesar-cipher-shift.png 983w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/caesar-cipher-shift-300x141.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/caesar-cipher-shift-768x362.png 768w\" sizes=\"auto, (max-width: 983px) 100vw, 983px\" \/><figcaption>A basic example of how a shift cipher (Caesar cipher) works.<\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Of course, this is encryption in one of its most basic forms. Modern cryptographic techniques have come a long way from the days of ancient Rome where notes were delivered by horse or boat. After all, we now have supercomputers and technology on our side to help us encrypt (and decrypt) data, messages, and other sensitive information.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"h-more-specifically-how-pki-encryption-works\">More Specifically, How PKI Encryption Works<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">The way that encryption works in the PKI context is that data gets encrypted by a public key and decrypted by its corresponding private key.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But that isn\u2019t the only trick PKI has up its sleeve. Another function of PKI is that it enables the generation of symmetric encryption keys as well. Although symmetric keys are considered less secure than their asymmetric counterparts, they\u2019re invaluable because they make communication faster and require less processing power. Without diving deep into the details, PKI lets you have the best of both worlds \u2014 the security of asymmetric encryption and the simplicity of symmetric encryption. &nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-how-to-apply-encryption-to-the-different-states-of-data\">How to Apply Encryption to the Different States of Data<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">When we talk about data states, we aren\u2019t talking about locations. There are three main states of data \u2014 data in transit, data at rest, and data in use. For the purpose of this article, however, we\u2019re just going to talk about two of those data states here. Why? Because even though it\u2019s possible to run computations on encrypted data in use through something called <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-homomorphic-encryption\/\">homomorphic encryption<\/a> (more specifically fully homomorphic encryption), it\u2019s a slow process that doesn\u2019t scale well using current technologies. So, we\u2019re going to put a pin in that one for now and focus on the other two data states.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Regardless of whether or not you know it, encryption is in use all around you to secure data in transit and data at rest:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data in transit<\/strong> (aka data in motion) \u2014 Data in transit encryption creates a secure channel through which information can transmit from one party to another. An example of encrypting data in transit is when you use an SSL\/TLS certificate to encrypt the communication channel between a customer\u2019s browser and your website\u2019s server. This process ensures that users connect to your site using a secure HTTPS connection instead of the insecure HTTP protocol.<\/li>\n\n\n\n<li><strong>Data at rest<\/strong> \u2014 Protecting data at rest encryption involves the use of file or device encryption. A great example of encrypting data at rest is when you use an email signing certificate to encrypt an email before hitting \u201csend.\u201d This encrypts the data of the message itself (and any attachments) so that it even if someone hacks your mail server, they can\u2019t read the message if they don\u2019t also have the corresponding private key. &nbsp;<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"752\" height=\"396\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-works-https-connection.png\" alt=\"How PKI works illustration of an HTTPS encrypted communication channel\" class=\"wp-image-12529 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-works-https-connection.png 752w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-works-https-connection-300x158.png 300w\" sizes=\"auto, (max-width: 752px) 100vw, 752px\" \/><figcaption>An illustration of the secure, encrypted communication channel offered by HTTPS.<\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Here\u2019s an illustration of how installing an SSL\/TLS certificate on a server facilitates a secure, encrypted connection between a website visitor\u2019s client and the web server it connects to.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-pki-works-by-ensuring-data-integrity\">PKI Works by Ensuring Data Integrity<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">One of the most critical aspects of how public key infrastructure works is that it helps to ensure that data comes from a legitimate source and hasn\u2019t been altered in any way. One of the ways it does this is by giving you the ability to apply a digital signature to your email, software, or files. Furthermore, every digital certificate itself is signed using the CA\u2019s private key.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Basically, what a <a href=\"https:\/\/www.thesslstore.com\/blog\/digital-signatures-why-you-should-sign-everything\/\">digital signature<\/a> does is inform the user or their client about whether a file, email, or document:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Has been signed by the true, authenticated individual or business, and that it<\/li>\n\n\n\n<li>Hasn\u2019t been modified since it was initially signed.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Don\u2019t worry, we aren\u2019t going to get into all of the specifics of <a href=\"https:\/\/www.thesslstore.com\/blog\/difference-encryption-hashing-salting\/\">hashing and checksums<\/a> here. Frankly, it\u2019s too involved and we still have other things to talk about relating to how PKI works.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-validation-and-functionalities-what-each-type-of-digital-certificate-helps-you-to-achieve\">Validation and Functionalities: What Each Type of Digital Certificate Helps You to Achieve<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Digital certificates are the data files that help you (or a client or server) to authenticate to another computer system and protect the integrity of your data. Digital certificates come with different levels of validation:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Domain validation is the most basic type of validation.<\/strong> It simply involves a CA verifying that you own or control a specific domain by sending you a link in an email or requiring you to upload files to a specific file of the site\u2019s web server.<\/li>\n\n\n\n<li><strong>Organization validation (OV) offers basic business validation.<\/strong> This process requires an issuing CA to verify information that you provide about your organization using official third-party resources. This way, it can offer assurance that you are who you claim to be.<\/li>\n\n\n\n<li><strong>Extended validation (EV) offers extensive business validation.<\/strong> This is the most in-depth of the three verification processes and requires that your business exists for a minimum of three years and is in good standing. The advantage of using this type of certificate is that it offers the most identity assurance.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">When discussing how PKI works, you have to talk about the data files that are integral to the system. There are several types of X.509 digital certificates that can protect data in different situations, depending on your needs:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>SSL\/TLS certificates<\/strong> \u2014 These certificates secure data sent to\/from your website and are available in single domain, multi-domain, wildcard, and multi-domain wildcard options.<\/li>\n\n\n\n<li><strong>S\/MIME certificates <\/strong>\u2014 Also known as <a href=\"https:\/\/www.thesslstore.com\/blog\/what-you-need-to-know-about-s-mime\/\">email signing certificates<\/a>, personal authentication certificates, and client authentication certificates, these digital certificates offer identity assurance from a trusted third-party CA. They can be used to digitally sign and <a href=\"https:\/\/www.thesslstore.com\/blog\/how-to-send-encrypted-email-on-3-major-email-platforms\/\">encrypt emails<\/a> or to authenticate you (as an individual user) to a web server.&nbsp;<\/li>\n\n\n\n<li><strong>Code signing certificates<\/strong> \u2014 If you\u2019re a developer or publisher who wants to offer identity assurance while also showing that your software hasn\u2019t been tampered with, then this is the right certificate for you. These certificates are available with individual validation (IV), organization validation (OV) or extended validation (EV).<\/li>\n\n\n\n<li><strong>Document signing certificates<\/strong> \u2014 Document signing certificates validate that your document hasn\u2019t been tampered with by applying a digital signature to it. (If a file is modified after being signed, a warning message will pop up to warn users.) These certificates can be used to sign a variety of files, including Microsoft Office documents and PDFs.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-where-certificate-authorities-fit-into-the-pki-picture\">Where Certificate Authorities Fit Into the PKI Picture<\/h2>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"549\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-works-windows-root-store-1024x549.png\" alt=\"Screenshot of some of the pre-downloaded trusted root certificates\" class=\"wp-image-12531 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-works-windows-root-store-1024x549.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-works-windows-root-store-300x161.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-works-windows-root-store-768x412.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-works-windows-root-store-1536x824.png 1536w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-works-windows-root-store.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>A screenshot of some of the trusted root certificates that can be viewed in the MMC console.<\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">When diving into an in-depth topic about how PKI works, then it\u2019s vital to talk about the roles and responsibilities of third-party CAs. A <a href=\"https:\/\/aboutssl.org\/certificate-authority\/\" target=\"_blank\" rel=\"noreferrer noopener\">certificate authority<\/a>, like Sectigo or DigiCert, is a trusted third party that\u2019s responsible for issuing and managing the private keys and certificates that support PKI. (The exception here would be that they don\u2019t see or touch the private keys of leaf certificates [with the exception of EV document and code signing certificates].)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Although there are a few dozen CAs in existence around the world, there is only a handful of them that control the lion\u2019s share of the market.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now, to be considered publicly trusted, a CA must adhere to a set of baseline requirements that are outlined by the industry\u2019s governing body, which is known as the <a href=\"https:\/\/cabforum.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">CA\/Browser Forum<\/a> (CA\/B Forum).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Before a CA can issue any type of digital certificate or private key, they first must verify the information that\u2019s provided by the person or organization requesting it using official sources. They can do this themselves or, in cases where a certificate is ordered via a subordinate CA, this is where a <a href=\"https:\/\/searchsecurity.techtarget.com\/definition\/registration-authority\" target=\"_blank\" rel=\"noreferrer noopener\">registration authority<\/a> (RA) comes into play.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Simply put, an RA is a network authority that acts as an intermediary between CAs and the organizations or individuals who request certificates from them. They\u2019re responsible for handling certificate issuance requests from individuals and organizations like yours on an individual basis and verifying the information you provide. In these scenarios, registration authorities play an integral role in the chain of trust.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-what-is-the-chain-of-trust\">What Is the Chain of Trust?<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"738\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-works-certificate-chain-of-trust.png\" alt=\"A screenshot of The SSL Store's certificate chain of trust\" class=\"wp-image-12530\" style=\"width:303px;height:370px\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-works-certificate-chain-of-trust.png 602w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-works-certificate-chain-of-trust-245x300.png 245w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><figcaption class=\"wp-element-caption\">A screenshot of the certificate chain of trust for TheSSLStore.com.<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The effectiveness of public key infrastructure rests upon the validity of what\u2019s known as a certificate chain, or the chain of trust. The chain of trust refers to a series of digital certificates that leads back from your individually assigned certificate to the certificate authority who signed off on it. If an RA is involved, they\u2019d be the \u201cmiddleman\u201d between you and the CA.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There are typically three components to the chain of trust \u2014 root, intermediate, and leaf (server) certificates. It\u2019s easiest to think of these components in terms of a tree.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">(To view the chain of trust for your SSL\/TLS certificates, click on the padlock icon in your browser, navigate to the certificate information, and click on the \u201cCertificate Path\u201d tab.)<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-root-certificates-roots-and-trunk-of-the-tree\">Root Certificates (Roots and Trunk of the Tree)<\/h4>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"506\" height=\"686\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-words-trusted-root-example-1.png\" alt=\"\" class=\"wp-image-12533\" style=\"width:303px;height:410px\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-words-trusted-root-example-1.png 506w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-words-trusted-root-example-1-221x300.png 221w\" sizes=\"auto, (max-width: 506px) 100vw, 506px\" \/><figcaption class=\"wp-element-caption\">A screenshot of a trusted root certificate.<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">A root certificate, which is also known as a trusted root, is the heart of public key infrastructure. Every CA issues only a handful of root certificates, and they are pre-downloaded into the trust store or root store within most browsers and operating systems. Their corresponding public keys are pre-downloaded as well to a device\u2019s key store.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, why is this certificate so important to PKI? Any certificate that\u2019s signed by a trusted root certificate is considered valid automatically by all of the major operating systems and browsers. Each browser or operating system gets to choose which root certificates to include by default.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-intermediate-certificates-supportive-tree-branches\">Intermediate Certificates (Supportive Tree Branches)<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">An intermediate certificate is the go-between (it serves as an intermediary, hence the name) that lies between a trusted root certificate and a leaf certificate. Basically, it\u2019s a buffer between the two that\u2019s issued by an intermediate CA.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Because certificate authorities want to keep their root certificates safe, they typically use intermediate certificates to issue the leaf certificates. Since root certificates can be stored offline, this means that once they sign the intermediate certificates, they aren\u2019t needed again and can be kept in a safe location. This helps CAs to ensure that their root certificate private keys are safe and not readily accessible to cybercriminals.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-leaf-server-certificates-leaves-and-smaller-tree-branches\">Leaf (Server) Certificates (Leaves and Smaller Tree Branches)<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">A leaf certificate, or end user certificate as it\u2019s sometimes called, is basically the certificate that gets issued to your specific domain. This type of cert has a much shorter lifespan \u2014 certificates issued prior to Sept. 1, 2020 have two-year lifespans, whereas any certificates that will be issued on or after that date will be limited to one year.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-for-pki-to-work-proper-certificate-and-key-management-is-a-must\">For PKI to Work, Proper Certificate and Key Management Is a Must<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Although this should go without saying, I\u2019m going to say it anyhow (because, inevitably, someone always misses this memo): <strong>Your certificates are good only for as long as they are valid.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s amazing how many people seem to always miss this memo. If your certificate is invalid \u2014 which could occur due to improper installation or configuration, certificate expiry, or the unlikely revocation by the issuing CA, it means that your website is no longer secure. Even worse, your entire system can go down as a result. Check out our blog \u201c<a href=\"https:\/\/www.thesslstore.com\/blog\/what-happens-when-your-ssl-certificate-expires\/\">This Is What Happens When Your SSL Certificate Expires<\/a>\u201d for a few examples (from brands you\u2019ll recognize!)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Regardless of the reason, it\u2019s important that you stay on top of these issues. You can do this by adhering to certificate and <a href=\"https:\/\/csrc.nist.gov\/News\/2019\/nist-publishes-sp-800-57-part-2-rev-1\" target=\"_blank\" rel=\"noreferrer noopener\">key management best practices<\/a> and by using reliable management tools. These tools provide visibility into your network for all certificates and helps you to track and manage their lifecycles, which involves the issuance, use, storage, distribution, management, and revocation of digital certificates and keys. This way, you can reissue certificates before they expire or stay abreast of any revocations that come down the pipeline.<\/p>\n\n\n<span style=\"--tl-form-height-m:861.156px;--tl-form-height-t:899.625px;--tl-form-height-d:899.625px;\" class=\"tl-placeholder-f-type-shortcode_12653 tl-preload-form\"><span><\/span><\/span>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-pki-works-to-protect-your-business\">How PKI Works to Protect Your Business<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">For virtually any modern business, having secure communications and access to reliable data are key to your success. But how does PKI work to help secure your business and its invaluable data? Public key infrastructure makes it possible for your organization to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Secure the communication channel for data that transmits to and from your web server, which makes it more secure in the eyes of Google and other search engines. (You avoid having \u201cnot secure\u201d warnings appearing in users\u2019 browsers when they visit your site.)<\/li>\n\n\n\n<li>Digitally sign and\/or encrypt email communications, which helps to mitigate phishing scams and email-based data breaches<\/li>\n\n\n\n<li>Digitally sign documents (<a href=\"https:\/\/www.thesslstore.com\/blog\/digital-signatures-why-you-should-sign-everything\/\">not to be confused with electronic signatures<\/a>), which ensures the integrity of those docs<\/li>\n\n\n\n<li>Digitally sign software, which affirms that your software is signed by a legitimate authority and that it hasn\u2019t been modified since it was signed<\/li>\n\n\n\n<li>Assert your organizational or individual identity<\/li>\n\n\n\n<li>Control access to only specific users or applications (authentication)<\/li>\n\n\n\n<li>Control which operations a user or application can perform in specific systems (authorization)<\/li>\n\n\n\n<li>Have a trusted third party affirm the integrity of your messages and data (non-repudiation)<\/li>\n\n\n\n<li>Demonstrate to search engines that your website or server securely transmits data<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Just to give you a bit of an idea of what we mean, let\u2019s consider the following example of how PKI works to secure email communications.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-how-pki-secures-and-authenticates-your-email-communications\">How PKI Secures and Authenticates Your Email Communications<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Say you need to send some sensitive information to your colleague, Erica. To do this, you draft up an email, add your attachments, and send it from your email address to hers. This means that any message you send will travel from your outbox to the email server. It will then travel across the internet to her mail server before it gets delivered to her email client\u2019s inbox.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This entire process typically occurs within a few mere seconds. (Unless, of course, you\u2019re waiting for a really important email \u2014 then, for some reason, that email always seems to break from reality and require hours or even days for it to eventually come through [if you receive it at all].) But there\u2019s still one critical thing to keep in mind: Without encryption, any message you send will be sent in plaintext, meaning that anyone who intercepts it can read it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is where public key encryption comes into play. If both you and Erica have properly configured email signing certificates (or what are known as S\/MIME certificates), you can use her public key to encrypt the message before sending it. Using your private key as the sender, you also can digitally sign the email, which she can double-check using your public key to ensure that she knows that it was really you who sent the message and not an imposter. &nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Without public key infrastructure, none of this would be possible. &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-final-thoughts-on-how-pki-works-and-why-it-s-necessary-for-your-organization\">Final Thoughts on How PKI Works and Why It\u2019s Necessary for Your Organization<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Cyber security is becoming more complex every day. Hackers are finding new avenues of attack as well as new ways to spin old tactic methods. So, it\u2019s now not only a matter of protecting your network and keeping your data out of the hands of hackers, but it\u2019s also a process of gatekeeping as well.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Public key infrastructure is increasingly at the heart of cyber security for businesses and organizations of any size. Whether you\u2019re looking to protect your own intellectual property or the privacy of your customers, PKI is what helps you to secure and protect the integrity of your data. It\u2019s also what makes authentication possible by having a trusted third party validate your legitimacy.  So, for obvious reasons, knowing how PKI works is essential to keeping the system running as it should.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But for PKI to work as intended, you must properly manage all aspects of the certificate lifecycle. This is a critical responsibility that you can\u2019t take lightly \u2014 your organizational reputation and compliance depend on it.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Public key infrastructure secures everything from the login credentials in your browser to the sensitive data you share via email \u2014 here\u2019s how PKI works.<\/p>\n","protected":false},"author":17,"featured_media":12534,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[130,16,10200],"tags":[12691,228,8416],"class_list":["post-12526","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-everything-encryption","category-hashing-out-cyber-security","category-monthly-digest","tag-featured","tag-pki","tag-public-key-cryptography","post-with-tags"],"views":44392,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/07\/how-pki-works.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/12526","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=12526"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/12526\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/12534"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=12526"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=12526"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=12526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}