Learn PKI fundamentals through interactive examples and hands-on practice
Public Key Infrastructure (PKI) is a comprehensive framework that uses cryptographic keys and digital certificates to secure communications and verify identities across digital systems.
Securing web traffic
S/MIME protection
Document authenticity
Secure tunnels
PKI operates on a hierarchical trust model with three main components:
Trust Anchor
Certificate Issuer
End Entity
When you visit an HTTPS website, here's what happens:
Website presents its Leaf Certificate to your browser
Browser verifies certificate is issued by trusted Intermediate CA
Browser validates Intermediate CA against Root CA
If chain is valid, encrypted connection is established
Explore sample certificates from a mock PKI hierarchy. Download and examine their structure.
-----BEGIN CERTIFICATE----- Root Certificate Authority Issuer: Sample Root CA Subject: Sample Root CA Valid From: 2025-01-19 Valid To: 2035-01-19 Purpose: Trust anchor of the PKI hierarchy -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- Intermediate Certificate Authority Issuer: Sample Root CA Subject: Sample Intermediate CA Valid From: 2025-01-19 Valid To: 2030-01-19 Purpose: Issues certificates to end entities -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- End-Entity Certificate Issuer: Sample Intermediate CA Subject: www.example.com Valid From: 2025-01-19 Valid To: 2026-01-19 Purpose: Secures website communications -----END CERTIFICATE-----
Generate a complete certificate chain for testing purposes.
Challenge yourself with these PKI fundamentals questions!
Question 1: What is the primary role of a Root CA in PKI?
Question 2: What is a Leaf Certificate used for?
Question 3: In the PKI hierarchy, who signs the Intermediate CA certificate?
A Certificate Authority (CA) is a trusted entity that issues digital certificates. It verifies the identity of certificate holders and digitally signs their certificates to ensure authenticity and establish trust. CAs play a crucial role in maintaining the security of online communications.
PKI is essential because it provides a secure, standardized way to verify identities and encrypt communications. It forms the foundation of modern internet security, powering HTTPS websites, email encryption, digital signatures, and secure authentication. Without PKI, online transactions and data exchange would be vulnerable to interception and fraud.
A chain of trust is a hierarchical sequence of certificates where each certificate is digitally signed by the certificate above it. It starts with the Root CA (trust anchor), flows through Intermediate CAs, and ends with the Leaf Certificate. This chain allows systems to verify certificate authenticity by tracing back to a trusted root.
Certificate validity periods vary by type. Root CA certificates typically last 10-30 years, Intermediate CA certificates 5-10 years, and Leaf certificates 1-2 years (currently limited to 398 days maximum for SSL/TLS certificates). Shorter validity periods reduce risk by limiting exposure time if a certificate is compromised.
If a certificate is compromised, it must be immediately revoked by the issuing CA. The CA adds the certificate to a Certificate Revocation List (CRL) or updates Online Certificate Status Protocol (OCSP) responders. Browsers and applications check these sources to ensure they don't trust revoked certificates, maintaining system security.