100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

Public Key Infrastructure (PKI) Cheat Sheet

Public Key Infrastructure (PKI) Cheat Sheet

Covers PKI components, certificate lifecycle, chain of trust, and common OpenSSL commands for generating and inspecting certificates.

2 PagesIntermediateJan 28, 2026

Core PKI Components

The building blocks of a public key infrastructure.

  • CA (Certificate Authority)- Trusted entity that issues and signs digital certificates
  • RA (Registration Authority)- Verifies identity before a CA issues a certificate
  • Certificate- Binds a public key to an identity, signed by a CA
  • CRL- Certificate Revocation List, a published list of revoked certificates
  • OCSP- Online Certificate Status Protocol, real-time revocation checking
  • Root CA- Top of the trust chain; self-signed, kept offline for security
  • Intermediate CA- Signed by root CA, issues end-entity certs; limits root exposure

Generating Keys and a CSR (OpenSSL)

Creating a private key and certificate signing request.

bash
# Generate a 2048-bit RSA private keyopenssl genrsa -out server.key 2048# Generate a Certificate Signing Request (CSR)openssl req -new -key server.key -out server.csr \  -subj "/C=US/ST=CA/O=Example Inc/CN=example.com"# Self-sign a certificate (for testing only)openssl x509 -req -days 365 -in server.csr \  -signkey server.key -out server.crt

Inspecting Certificates (OpenSSL)

Viewing certificate details and checking a live server's cert.

bash
# View certificate detailsopenssl x509 -in server.crt -text -noout# Check expiration dateopenssl x509 -in server.crt -noout -enddate# Inspect a certificate served by a live hostopenssl s_client -connect example.com:443 -showcerts

Chain of Trust Concepts

How certificate validation establishes trust.

  • Trust anchor- Root CA certificate pre-installed in OS/browser trust stores
  • Certificate chain- Leaf cert -> intermediate CA(s) -> root CA, each signed by the next
  • Chain validation- Client verifies each signature up to a trusted root, and checks expiry/revocation
  • Self-signed certificate- Not signed by a trusted CA; triggers browser warnings unless manually trusted
Pro Tip

Keep root CA private keys offline and air-gapped; use intermediate CAs for day-to-day certificate issuance so a compromised intermediate can be revoked without invalidating the entire trust chain.

Was this cheat sheet helpful?

Explore Topics

#PublicKeyInfrastructurePKI#PublicKeyInfrastructurePKICheatSheet#Cybersecurity#Intermediate#CorePKIComponents#Generating#Keys#CSR#CheatSheet#SkillVeris