PKI – Public Key Infrastructure

Establishing Trust in a Digital World

PKI – Establishing Trust in a Digital World

Trust is essential in today’s modern society where people, devices and things interact on a daily basis within a corporate network or online as we all shop, bank, update our status via social media and use online products and services. In a world where every business and government are striving to e-enable processes in order to streamline and make processes efficient and green, it is important to consider on what basis can you trust who you are transacting with.

Public Key Infrastructure or PKI is a trust infrastructure that issues and manages digital, cryptographically secure credentials to people, devices and things that enable electronic transactions to take place. PKI provides integrity, authenticity and protection of digital information and transactions.

Modern life and the digitisation of business processes cannot function without the trust services that are enabled by the use of PKI. PKI forms a fundamental part of the trust infrastructure that issues, manages and distributes the digital identities used in so many of the commercial and organisational processes we take for granted.

A PKI provides users and organisations with

Digital credentials that secure information in transit and at rest

Frictionless authentication of people, devices and things

Data integrity and fraud protection

No other IT security system in the world underpins as many diverse use cases as PKI. Listen to Ascertia’s CTO, Mike Hathaway, talk about how PKI keeps business flowing.

What is a PKI?

A PKI consists of roles, policies, procedures, hardware, software and a physically secure facility. When built to industry best practice, a PKI can be trusted to generate, manage, distribute, store, use and revoke digital certificates and their corresponding cryptographic keys.

A PKI’s main components are:

Certificate Authority (CA) – stores, issues and signs the digital certificates
Registration Authority (RA) – checks and registers the identity of users’ digital certificates
Central Directory – where users keys are securely stored and indexed
Revocation Services – a means of checking to see if a digital certificate can no longer be trusted
Certificate Management system – access and distribution of stored digital certificates
Policy – sets out the PKI’s requirements and procedures

Each end entity in a PKI generates at least one pair or cryptographic keys – a public and a private key, the public key is embedded into a certificate that is digitally signed by a Certification Authority. Each key that is generated has a “key usage” and an “extended key usage”, these enable the keys and corresponding certificates to be used by applications for certain usage, examples include: digital signature, client authentication, smartcard logon etc.

Information Protection / Encryption

Information can be encrypted with a user’s public key\certificate which can then only be decrypted by the holder of the private key.

Data Integrity / Digital Signature

Information can be digitally signed by the holder of a private key and then verified by recipients using the signers public key.


Digital Certificates can be used to authenticate a server to which your web browser will send information securely, this is called Server Authentication. Digital Certificates can also be used to authenticate a client to a server or other back end process or application such as a wireless network or VPN.

Why is PKI important for business and government?

In this ever-changing world, organisations must ensure the security and integrity of information and the secure identification of people, devices and things. Digital Certificates issued from Certification Authorities that are part of a PKI trust infrastructure offer businesses the highest level of security credentials.

PKI addresses multiple business challenges such as integrity, authenticity and information protection.

What are PKIs used for?

Examples of a PKI in action include:

Wireless network authentication for devices
VPN / Remote access – securing access to BYOD and corporate networks, public Wi-Fi networks
E-commerce / TLS Server for secure online web browsing, banking, retail and gaming
Document signing and long-term evidential signatures and validation
e-Passports for electronic identities and border control
Code signing – applications will not install unless code is signed

Is PKI still relevant?

PKI has never stopped being relevant, it was support within business applications that was missing. In fact, PKI was years ahead of its time and it’s worth remembering some of the key business challenges PKI helps to address are integral to everyday digital activities – authenticating people, devices and things.

In the early 2000’s, Software-as-a-Service (SaaS) didn’t exist and so applications and security were provided by the enterprise, apps were inside the corporate network and users connected to the network via a cable.

The world is very different now and the IT landscape has changed significantly. Many users are working remotely, and businesses are using a mixture of in-house and cloud based applications and infrastructure to provide access to data anywhere, at any time.

This data needs to remain secure and the only technology currently available to address complex high security requirements is the PKI – Public Key Infrastructure.

How do I set up a PKI?

Setting up a PKI requires a mixture of roles, policies, hardware, software and procedures. To successfully set-up a PKI, policy and procedure are paramount.

Installing technology is easy and CAs are often installed for individual projects without much thought, which is why many organisations suffer from certificate management challenges.

This issue can be solved with a centralised trust infrastructure built to best practice and a standardised policy along with the use of specialist technology such as Hardware Security Modules to manage and secure certificates.

Organisations including ICAO, NIST, ETSI and CA Browser Forum provide guidance PKI standardisation and the minimum configuration requirements.

Depending on your requirements you will need to consider whether or not you need public or private trust, or both.

There are many Trust Service Providers who operate PKI and digital signature services to help organisations build and operate PKIs.

Best practice enterprise PKI deployments

Organisations should build a central policy authority and centralised certificate service to govern the issuance and management of keys and certificates to reduce non-compliant certificate issuance.

The certificate management team would also be responsible for establishing a hierarchy of Certification Authorities within the business. Built under the organisation’s security policy, the team would own a Certificate Policy and Certificate Practice Statement – these are industry standard documents that provide security and operational guidance on how the certificate services should be built, operated and how end entities should perform enrolment and renewals.

Organisations should also look to establish a preferred supplier(s) for the issuance of public / internet facing TLS (Transport Layer Security) certificates and publicly trusted certificates to support digital signature services for individuals, organisation seals and B2C use cases.

We enable our customers to digitally sign & protect documents & transactions, helping them to streamline business processes and provide trusted identity assurance.

We enable our customers to digitally sign & protect documents & transactions, helping them to streamline business processes and provide trusted identity assurance.

Ascertia’s PKI Solutions

Ascertia has always focused on developing high-trust PKI and electronic signature solutions with clear adherence to industry standards including IETF, ISO, ETSI, W3C, OASIS & CSC.

The Ascertia PKI consists of two strategic products, ADSS Server and ADSS Web RA. Both products work together to provide the key components an organisation needs to deliver trust services for new and existing PKI offerings.

ADSS Server has been designed and built as a framework product that delivers high-trust core PKI services, ePassport, digital signature creation and verification, plus evidence archiving and other services. All ADSS Server service modules leverage the same well-proven, high-trust, high-availability, high-security management features.

ADSS (Advanced Digital Security Services) Server is a world-class security server that delivers trust services to e-business processes and documents. It provides the broadest range of cryptographic services in the world. These include local and remote signing, verification, timestamping, long-term archiving, plus core PKI services including CA services, Attribute Authority services, and validation using CRL, OCSP, SCVP and XKMS standards.

Ascertia’s solutions are used by many high-trust industries including governments, defence, banking and finance and pharmaceuticals.