Skip to content
Programming Glossary
Security Concepts Glossary
PKI — Explained with Examples

PKI — Explained with Examples

DodaTech Updated Jun 15, 2026 2 min read

PKI (Public Key Infrastructure) is a system of certificates, keys, and policies that enables secure digital communication through identity verification.

PKI stands for Public Key Infrastructure. It’s the framework that makes HTTPS, digital signatures, and email encryption work. PKI manages the creation, distribution, storage, and revocation of digital certificates.

Components of PKI

  • Certificate Authority (CA) — trusted entity that issues certificates (e.g., Let’s Encrypt, DigiCert, Sectigo)
  • Registration Authority (RA) — verifies certificate requestors before the CA issues a certificate
  • Certificate — digital document binding a public key to an identity (domain, organization, person)
  • Public/Private Key Pair — asymmetric keys used for encryption and signing
  • Certificate Revocation List (CRL) — list of revoked certificates

Chain of Trust 

Root CA (self-signed, trusted by browsers)
  └── Intermediate CA
       └── Server Certificate (example.com)

Browser trust store → Contains Root CA certificates
When visiting example.com:
  1. Server sends its certificate + Intermediate CA certificate
  2. Browser builds chain: Leaf → Intermediate → Root
  3. Browser verifies each signature up the chain
  4. If Root is trusted, the chain is valid

Real-World Analogy

PKI is like a passport system. The government (Root CA) is universally trusted. It authorizes passport offices (Intermediate CAs) to issue passports. Your passport (certificate) contains your photo, name, and issuing authority. When you show it at airport security (the browser), they check: Is the passport expired? Was it issued by a recognized authority? Does the photo match you? If everything checks out, they trust your identity.

Example: Generate a Self-Signed Certificate 

# Generate a private key
openssl genrsa -out private-key.pem 2048

# Create a Certificate Signing Request
openssl req -new -key private-key.pem -out csr.pem \
  -subj "/CN=example.com"

# Self-sign the certificate (acts as your own CA)
openssl x509 -req -days 365 -in csr.pem \
  -signkey private-key.pem -out certificate.pem

# View certificate details
openssl x509 -in certificate.pem -text -noout
# Output includes:
# Subject: CN = example.com
# Issuer: CN = example.com (self-signed)
# Validity: Jun 19 2026 - Jun 19 2027
# Public Key Algorithm: rsaEncryption (2048-bit)

Related Terms

TLS/SSL, HTTPS, Encryption vs Hashing, HTTP

Previous HTTPS — Explained with Examples Next WAF — Explained with Examples

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro

Home Browse Security Concepts Glossary