What Is PKI? The Ultimate Guide to Public Key Infrastructure

PKI is the trust framework that enables certificate-based authentication, encryption, and secure communication across modern networks.

PKI explained: trust chains, certificates and encryption
Key Points
  • PKI enables certificate-based authentication mechanisms that can replace passwords in specific implementations such as EAP-TLS or mutual TLS.
  • Implementing PKI authentication is crucial for a modern security framework, but it's a complex, time-consuming task if done in-house.
  • Fully managed cloud PKI solutions are scalable and secure and eliminate the complexity of traditional PKIs.

Public key infrastructure (PKI) is critical for modern network security. PKI enables passwordless authentication and encrypted communication, and the framework is listed by organizations such as CISA, NSA, and NIST as foundational for a modern, continuous-trust security framework.

PKI certificates are complicated, and even very senior security admins may find them difficult to understand.

“Cloud PKI services exist because PKI is just really hard to do in a safe, secure way. There are hundreds of pages of documentation showing how you might set up a legacy PKI like Active Directory Certificate Services in an insecure way just by using the default settings. There are tons of vulnerabilities that can happen if you don’t set it up right.”

Micah Spady, Director of Product Marketing at SecureW2

This comprehensive PKI guide covers:

  • What is PKI?
  • How does PKI work?
  • Why is PKI so important?
  • Why can PKI be so difficult to manage on your own?

What Is PKI?

Public key infrastructure (PKI) is the set of processes and technologies that manage digital certificates and public-key encryption. A digital certificate, or PKI certificate, enables secure digital communication by acting as a digital passport to bind a public key to an entity such as a device, person, or server.

Info: At a very high level, the purpose of PKI infrastructure is to allow organizations to use encryption for their various security needs

It provides phishing-resistant authentication for applications or Wi-Fi and enables your web servers to communicate in encrypted tunnels.

PKI infrastructure and digital certificates are fundamental and technologically advanced components of cybersecurity. We’ll break down how they work in the following sections.

What Is a PKI Certificate?

A PKI certificate can be thought of as a passport. It’s a phishing-resistant form of verifying your identity with a trusted third party and one of the best ways to ensure authentication mechanisms are phishing resistant.

This digital certificate lives on your device and is presented to systems during authentication. One common way digital certificates are used is to show an Identity Provider (IdP) like Microsoft Azure or Okta that you are a particular user using a specific device. The below video explains how PKI works at a high level:

What Are the Components of Public Key Infrastructure?

The components of a public key infrastructure can vary, due in part to recent development in the field of PKI certificates. One common perspective is that the components of a public key infrastructure comprise everything your organization needs to manage the entire certificate lifecycle. We consider these components to be critical parts of a modern public key infrastructure:

  • Certificate authority (CA)
    • Root certificate authority
    • Intermediate certificate authority
  • Certificate templates
  • Certificate lifecycle management
    • Certificate policies
  • Hardware security module

In the following sections, we’ll summarize each of these PKI components.

Certificate Authority (CA)

A certificate authority (CA) is trusted to issue digital certificates that confirm the subject listed on the certificate owns the associated the public key. The client first generates a public-private key pair. Then, the public key and information to be added to the certificate are sent to the CA. The CA creates a digital certificate consisting of the user’s public key and certificate attributes and signs the certificate with its private key.

The certificate trust chain is a multi-level hierarchy of trust. You can trace the chain from the client’s certificate all the way back to a single Root CA. Every chain ends with a person (or company) from which all trust is ultimately derived. This diagram shows how a certificate chain is structured:

Example of how the PKI certificate trust chain works.

Root Certificate Authority: A root certificate authority (Root CA) is a trusted CA that is entitled to verify the identity of a person and signs the certificate that is distributed to a user. The security of your Root CA must be paramount. If a Root CA is compromised, then your entire PKI system cannot be trusted.

Root CAs do not issue your end user’s digital certificates directly but instead issue Intermediate CAs that subsequently issue the client certificates. Since Root CAs are so important they are almost always stored in a very secure manner, away from the public internet.

Intermediate Certificate Authority: An intermediate certificate authority (Intermediate CA) is also a trusted CA and is used as a chain between the Root CA and the client certificate. Since the Root CA has signed and trusts the Intermediate CA, certificates that are generated from the Intermediate CA are trusted as if they were signed by the Root CA.

Note: As a best practice, always issue certificates from an Intermediate CA.

Certificate Templates

Certificate templates are used to determine how a certificate is structured and what it will be used for. For public key infrastructures such as Active Directory Certificate Services (AD CS), certificate templates are enormously important and dictate much of the permissions required for receiving a certificate and what it will be used for. Exploiting a misconfigured certificate template in AD CS is one of the most common compromises.

Below is an example of a Default Certificate Template in the SecureW2 PKI. You can see attributes such as Validity Period, Signature Algorithm, Extended Key Usage (EKU, or what the certificate will be used for), and much more.

A screenshot of the SecureW2 PKI showing the Default Certificate Template.

How Does Public Key Infrastructure Work?

A PKI certificate system enables organizations to generate cryptographic key pairs based on mathematically hard problems (such as integer factorization or elliptic curve discrete logarithms).

Cryptography underpins much of the secure transfer of information in the modern world, from logins to ecommerce, email exchanges, and IoT communication.

Cybersecurity specialists depend on data encryption to protect information moving across vulnerable networks by scrambling readable data into an unrecognizable format. Decryption reverses that process, restoring the original content for authorized recipients. Together, encryption and decryption form the foundation of trustworthy digital communication.

There are two types of encryption:

  • Symmetric
  • Asymmetric

PKI uses asymmetric encryption. Here’s a quick explanation of both types of encryption, and why asymmetric is the more secure option:

Symmetric Encryption (Private Key Cryptography)

Symmetric encryption uses a single key to encode a message. The message can only be decoded by someone who has their own copy of the key. This works great in theory, but the moment that single key is compromised, every packet is easily decoded by anyone with a copy of the key.

Asymmetric Encryption (Public Key Cryptography)

Asymmetric encryption, also known as Public Key Encryption is the more secure method used in public key infrastructure. It uses two keys, a private key and a public key. Messages are encoded with a public key, which is shared and available to anyone, but only the person with the private key can decode the message.

Note: Proper key management is not an ancillary concern within these systems. It is a core requirement, and it sits at the heart of any well-implemented cryptographic framework, ensuring that as networks scale the underlying data stays protected against unauthorized access.

Example of Asymmetric Encryption

The classic way of explaining asymmetric encryption is the Alice and Bob diagram.

A diagram showing how asymmetric encryption works, using Alice and Bob as an example.

PKI infrastructures achieve strong asymmetric encryption using clever mathematics. The process involves taking two huge prime numbers (on the order of 2^512) and factoring them, though the full explanation is much more complicated. These two videos help explain the math behind PKI in more detail:

Why Is PKI Infrastructure Important for Cybersecurity?

PKI infrastructure matters for cybersecurity because it binds identities to public keys using certificates issued by a trusted certificate authority as a source of truth. When integrated with authentication systems such as 802.1X, VPN gateways, or mutual TLS, PKI enables strong identity validation before access is granted. This added security ensures only the identities who are authorized to access resources can do so.

Here’s how PKI encryption enhances network security in an organization:

Validates Trustworthiness of Users and Devices

Each user or device is issued a PKI certificate by a trusted CA, which confirms their identity. When they attempt to access the network they prove their identity by confirming possession of the private key without needing to reveal it.

This process makes it much harder for attackers to impersonate someone or use stolen credentials.

Leverages EAP-TLS in a WPA2-Enterprise Network

Digital certificates provide enhanced security for mutual EAP-TLS 802.1X authentication on a WPA2-Enterprise network. They provide the framework for the EAP-TLS protocol, which enables faster and more secure authentication through mutual authentication between clients and servers.

Protects Remote Cloud Environments

With certificate-based 802.1X authentication, users and devices can connect to a remote server without the risk of stolen or leaked passwords that could compromise the entire network.

A certificate management system tied to a PKI automates the certificate lifecycle for managed, BYOD, and guest devices. This allows administrators to continuously monitor who has access to both wired and wireless networks. Combining certificate management and PKI ensures only authorized personnel can access specific data and applications, preventing unauthorized access to confidential information.

These are the key differences between a password-based network and a PKI-based network:

Features Password-Based Network PKI-Based Network
Security Risk Shared keys come with a high risk of phishing, brute force, and man-in-the-middle attacks. No pre-shared keys lowers risk.
Authentication Factor Weaker trust since passwords can be stolen or duplicated. Stronger continuous device trust with certificate-based authentication
User Experience Clunky and needs multiple resets, reset-based disconnects. Certificates can be used until they are revoked or expire.
Context-Based Trust Limited, static device trust. Identity and access-based granular trust model.
Find the network security plan built for your environment.
SecureW2 certificate-based authentication scales from mid-market teams to global enterprise deployments. Compare options and see how our solution can protect you from costly breaches.
Compare Plans →

Certificate Lifecycle Management

Having a system for managing certificates across their entire lifecycle is very important for PKI management. Lifecycle management encompasses all phases of the certificate lifecycle, which can be broken down into the following phases:

  1. Certificate Enrollment: An entity submits a request for a certificate to the certificate authority. An entity can be a person, a device, or even just a few lines of code.
  2. Certificate Issuance: The CA validates the identity of the applicant, which is typically done through credentials or by trusting another CA that has already validated the applicant.
  3. Certificate Validation: During authentication, the RADIUS server validates the certificate against its trust store and checks revocation status using a certificate revocation list (CRL) or Online Certificate Standard Protocol (OCSP) to confirm that the certificate is still valid and hasn’t expired or been revoked.
  4. Certificate Revocation: Certificates are issued with an expiration date. When that date is reached, the certificate will automatically be considered invalid for any authentication attempt. Certificate revocation can occur through a CRL, a Delta CRL, or OCSP.
  5. Certificate Renewal: Instead of automatically being shunted to a CRL, some CAs have settings that renew certificates upon expiration date, which typically involves re-verifying identity. At this time, you can choose to generate a new key pair, effectively making it a totally new certificate.

Effectively managing certificates requires a proper automation tool, a well-secured certificate database, and methods of synchronization between your certificate database and your Identity Provider. Many organizations automate certificate management by using the Intune CA Partner API, which is implemented with the SecureW2 PKI.

Certificate Policies

Organizations can also create automated certificate policies. For example, a policy could revoke certificates when Intune says a device is not compliant or issue a certificate that is given lower levels of authorization.

Certificate policies in general should be aligned closely with existing policies in your Identity Provider or MDM. APIs such as the Intune CA Partner API are great for this, as they extend all of the policies that exist in Intune.

Hardware Security Module (HSM)

A Hardware Security Module isn’t a mandatory component of PKI security, but, when implemented, improves the security of the PKI as a whole. This device protects and manages digital keys and serves as the groundwork for building a secure enterprise PKI. The HSM contributes to managing the complete lifecycle of cryptographic keys, which includes creation, rotation, deletion, auditing, and support for APIs to integrate with various applications.

Experience instant security with average certificate revocation in 3 seconds — Explore SecureW2.

What Is PKI Used For?

A PKI can be used for multiple applications, including Wi-Fi authentication, web application authentication, email security, and VPN. How your organization designs and uses the PKI depends largely on what your security needs are, which vendor you choose, and whether you decide to construct your own PKI.

These are common use cases tied to PKI:

  • Wi-Fi Authentication
  • Wired Security PKI
  • Web Application Authentication
  • VPN Authentication
  • Email Security

Wi-Fi Authentication

PKI enables secure, certificate-based Wi-Fi authentication using the EAP-TLS protocol, which provides mutual authentication. It verifies both the client device and the RADIUS server via digital certificates to prevent unauthorized access and protect data transmitted over the air. This replaces weaker password-based methods with stronger identity verification by using asymmetric cryptography and a trusted CA to ensure only legitimate entities connect to the network.

Wired Security PKI

This secures wired connections through 802.1X port-based authentication, where an 802.1X-enabled switch blocks access until the device presents a valid digital certificate verified against a trusted CA. This in turn enables mutual authentication, preventing unauthorized devices from joining the LAN, and protecting against rogue network access.

Web Application Authentication

A user connecting to a web application will have their identity confirmed by the web application server, in a process similar to Wi-Fi authentication. Since the certificate is signed by the trusted CA, users can gain access to the application.

VPN Authentication

Since VPNs can grant access to critical information, certificates are preferred to passwords for authentication. Usually, the Root/Intermediate CA is stored on the Firewall and once the user is authenticated, a secure tunnel is created to access the network the user is trying to access.

Email Security

Encrypting emails with certificates utilizes the S/MIME (Secure/Multipurpose Internet Mail Extensions) protocol. Both the receiver and sender are required to have a certificate signed by the CA to establish trust between the users. S/MIME provides the cryptographic security required to:

  • Guarantee the origin of the message with the digital signature from the certificate
  • Encrypt the message
  • Authenticate the recipient’s certificate to decrypt the message

See PKI in action: Read our case study describing how a community bank deployed PKI across five branches with Secure W2.

Benefits of PKI in a Network Environment

PKIs provide many benefits for environments with many users, including enterprise environments.

Main PKI benefits include:

Improve End-User Experience: Passwords require repeated input and frequent resets. When combined with multi-factor authentication (MFA), the user experience often becomes frustrating.

As more organizations adopt passwordless authentication methods, digital certificates with a PKI are becoming the preferred choice to improve user experience.

Info: The National Institute of Standards and Technology (NIST) prescribes specific frameworks to secure critical data in an enterprise network and the organization strongly recommends using digital certificates with a PKI for Wi-Fi and VPN authentication.

Prevent Breaches Due to Stolen Credentials: When a device attempts to connect to the network, it must prove possession of its private key, which cannot be phished or reused like a password. Even if a malicious actor intercepts the certificate or gains access to the network traffic, they cannot authenticate without the corresponding private key, which remains securely stored and inaccessible.

This cryptographic identity verification ensures only authorized users and trusted devices can access network resources.

Reduce Password-Related Support Tickets: Since digital certificates replace passwords for authentication, users no longer need to remember, reset, or frequently change credentials. Automated certificate issuance and renewal also streamline onboarding and access management, reducing manual intervention and support costs.

Increase Visibility Over Network Access: Unlike passwords, which can be shared or stolen, digital certificates are device-bound and traceable. Detailed RADIUS logs show who and what connected or accessed the network when a device authenticates using a certificate.

The Risks of Poor PKI Management

A PKI can significantly strengthen cybersecurity, but poorly managed PKI certificates can introduce vulnerabilities. As certificates are implicitly trusted after issuance, these vulnerabilities can be even more impactful than those associated with password-based security.

Some of the most common risks are:

  • Certificate expirations: Many certificate authorities issue certificates with an expiration date (often one year or less). If the certificate isn’t renewed before the expiration date, users or identities may be unable to access critical services, disrupting operations and frustrating users.
  • Unrevoked certificates: Certificates are recognized indefinitely until they’re explicitly revoked. Lost devices and employees who leave or change roles can lead to unauthorized access, data leaks, or lateral movement by insiders or attackers.
  • Compromised keys: If a private key is exposed through poor storage, exfiltration via malware, or insider theft, attackers can impersonate the legitimate owner.

Simply having a PKI infrastructure doesn’t automatically ensure improved security. The purpose of a PKI is to issue and manage digital certificates, but how the certificates are issued and managed is important, too. See the benefits of a managed PKI in this video:

PKI Implementation Best Practices for Your Network

Using PKI is an important step toward building a secure network, but organizations need both a vetted strategy and a far-sighted approach for implementation. With digital certificates, your network will be ready for secure communication through identity and context-based device trust.

Note: A PKI alone won’t address security needs unless properly implemented.

  • Use an Intermediate CA for certificate issuance: The Root CA is the main anchor of trust in a PKI and should never be compromised. Organizations should establish an Intermediate CA under their central CA and then separate it based on geographical locations, departments, etc., so the Root CA can remain separate and well-guarded.
  • Automate certificate lifecycle management: Automating certificate management through a managed PKI streamlines certificate enrollment, issuance, renewal, revocation and ongoing maintenance.
  • Perform regular audits and compliance checks: A PKI should maintain an audit trail for all certificates issued, renewed, revoked, and stored in the network. Security teams should regularly monitor these logs to respond quickly to incidents and detect unusual activities. If any unusual incident is detected, they should set up an automated alert to notify security and prevent further access.
  • Integrate PKI with identity and access management (IAM) tools: By integrating PKI with IdPs and MDMs, organizations can use EAP-TLS to strengthen security and link users and devices to certificate-based authentication for identity and access management tools.
    IAM tools ensure that only trusted users and devices can access resources within a network through context-based, granular policies.
  • Protect private keys using hardware security modules (HSMs): Organizations should ensure that the secure root and intermediate keys never leave the hardware security module. There should be limited access and restrictions on viewing and exporting cryptographic keys.
  • Onboard software to authenticate managed and BYODs to a network: Onboarding software automates certificate issuance to managed devices using protocols such as the Dynamic Simple Certificate Enrollment Protocol (SCEP) and Automated Certificate Management Environment (ACME). It also helps BYOD and guest devices self-enroll for certificates and authenticate safely to a network with limited access, preventing unauthorized access.

Automate Your PKI Without the Overhead of On-Premises Infrastructure

Running your own PKI means managing certificate lifecycle, intermediate CAs, revocation infrastructure, and renewal workflows, often with tools that weren’t built for the speed modern environments demand.

The SecureW2 JoinNow Dynamic PKI continuously evaluates device posture using real-time API integrations during certificate issuance, renewal, authentication, and whenever security signals change.

That ensures certificate trust reflects the device’s current security state, not a point-in-time assessment made months earlier.

Eliminate the need for an on-premises CA, revoke certificates in seconds, and deploy a full-stack platform designed to scale across diverse device ecosystems, not just a single MDM vendor.

Our PKI handles the infrastructure so you can focus on strategy. Reach out to us for a free demo of Dynamic PKI today.


Frequently Asked Questions

Is a digital certificate the same as a private key or public key?

No, a digital certificate is not the same as a private or public PKI key. However, it does contain your public key. A digital certificate, which can also be referred to as a PKI certificate, should be thought of as a digital passport, or a driver’s license. A PKI certificate contains a customizable amount of information. Common attributes encoded in a PKI certificate are email addresses, first and last names, the groups a user is associated with in the Identity Provider, the serial number of the device, an Azure Device ID, and other bits of identifiable information.

What are the core cryptographic algorithms behind PKI?

PKI relies on a combination of asymmetric (public-key) algorithms for secure key exchange, digital signatures, and certificate signing, plus symmetric algorithms for fast, efficient encryption after establishing trust.

While modern PKI increasingly favors efficient options such as elliptic curve cryptography (ECC/ECDSA), legacy options including RSA for signing and key exchange, DSA for signatures, Diffie-Hellman for secure key agreement, and AES-256 for session encryption, remain widely used or historically important.

Here are some key cryptographic algorithms you’ll encounter in PKI systems today:
● AES 256 Encryption
● Diffie-Hellman
● RSA Key Exchange
● DSA

What is a TLS cipher suite?

A TLS cipher suite defines the combination of key exchange, authentication, encryption, and message authentication algorithms used during a TLS session. Before TLS, SSL was the go-to protocol.

Some wrappers only support certain versions of TLS, whereas the SecureW2 wrapper supports any version of TLS, except TLS 1.0, which has growing vulnerabilities, when onboarding a user’s device.

What is Microsoft PKI?

Microsoft offers a commonly used PKI called Active Directory Certificate Services (AD CS). It was designed to work with Microsoft environments like Active Directory (AD), Network Policy Server (NPS), and Group Policy Objects (GPO) that historically dominated IT infrastructures.

While AD CS is still in use, many organizations are moving away from it due to the limitations that come with being designed for legacy infrastructure. It requires a lot of human resources to deploy and maintain, and everything needs to be on-premises, which can prevent organizations from moving to an all-cloud environment.

Does EAP-TLS use a PKI?

EAP-TLS does use PKI. EAP-TLS is a WPA2-Enterprise network protocol used for encrypted, certificate-based authentication. As a user connects or enrolls to the secure network, EAP-TLS authentication confirms the identity of the user and the server in an encrypted EAP tunnel that prevents outside users from intercepting credentials or other information sent over-the-air. They can safely transmit data through the tunnel, resulting in a fast, secure and successful authentication.

Why are certificates essential for securing AI agents and non-human identities?

Certificates provide a hardware-bound, cryptographically verifiable identity for AI agents, services, and workloads, making them far more secure than API keys or tokens. In AI-driven environments, where autonomous agents interact with multiple systems, certificates ensure that only trusted, authenticated entities can access sensitive data or services.

Unlike static credentials, certificates support mutual authentication, short-lived identities, and automated lifecycle management, which are critical for dynamic AI systems. This makes them the standard authentication mechanism for non-human identities, enabling continuous enforcement across machine-to-machine communication.

How does certificate-based authentication work in AI systems using SPIRE?

In a typical AI architecture, each device or workload first presents its initial certificate to a SPIRE server. The SPIRE server then validates this identity and issues ephemeral (short-lived) certificates to AI agents and services.

These short-lived certificates are often valid for minutes or hours and are used for secure, continuous authentication between agents and services. This ensures that:
● Only authorized workloads can communicate
● Access is dynamically verified (no one-time authentication)
● Compromised identities have limited exposure due to short lifespans

This model enables scalable, continuous security for AI ecosystems, where identities are constantly verified and tightly controlled.