What is Public Key Infrastructure (PKI)?
Learn what PKI is, how Certificate Authorities and the chain of trust work, and how PKI underpins HTTPS — with interview Q&A.
Expected Interview Answer
Public Key Infrastructure (PKI) is the set of roles, policies, and systems needed to create, distribute, validate, and revoke digital certificates that bind a public key to a verified identity, forming the trust framework that lets strangers on the internet, like a browser and a website, trust each other's public keys.
At the core of PKI is the Certificate Authority (CA), a trusted third party that verifies an entity's identity (a domain, an organization, or an individual) and then signs a certificate binding that identity to a public key; operating systems and browsers ship with a curated list of root CAs they trust by default. Rather than every CA signing certificates directly with its highly sensitive root key, most issuance happens through an intermediate CA whose own certificate is signed by the root, forming a chain of trust that a client walks from the leaf certificate up to a trusted root during validation. PKI also defines how certificates are requested (via a Certificate Signing Request, or CSR, containing the applicant's public key), how their validity is checked (via expiration dates, Certificate Revocation Lists, or the faster Online Certificate Status Protocol), and how compromised or mis-issued certificates get revoked before their natural expiry. This whole system is what makes HTTPS practical at scale: a browser never has to have met a website's operator personally — it just verifies the certificate chain back to a root CA it already trusts.
- Binds a public key to a verified identity via CA-signed certificates
- Chain of trust lets clients validate certs without meeting the issuer
- Standardizes issuance (CSR), validation, and revocation (CRL/OCSP)
- Underpins HTTPS trust at internet scale without prior introductions
AI Mentor Explanation
PKI is like the official cricket board's accreditation system for umpires — the board (the root CA) does not personally certify every umpire directly but authorizes regional associations (intermediate CAs) to issue accreditation badges, and any umpire's badge can be traced back up that chain to the trusted national board. A captain checking an unfamiliar umpire's badge does not need to have met them before; they just verify the chain of signatures on the badge back to the national board they already trust. If an umpire is later found to be corrupt, the board can revoke that specific badge before it naturally expires.
Step-by-Step Explanation
Step 1
Key pair + CSR
An applicant generates a public/private key pair and submits a Certificate Signing Request with the public key and identity details.
Step 2
Identity verification
A Certificate Authority verifies the applicant's identity (domain control, organization documents, etc.).
Step 3
Certificate issuance
The CA (often via an intermediate CA) signs a certificate binding the public key to the verified identity.
Step 4
Chain validation
Clients validate the certificate by walking the signature chain up to a trusted root CA already in their trust store.
What Interviewer Expects
- Defines PKI as the trust framework around certificates and CAs
- Explains the chain of trust: root CA → intermediate CA → leaf certificate
- Knows CSR, expiration, CRL, and OCSP for issuance/validation/revocation
- Connects PKI to how HTTPS establishes trust without prior contact
Common Mistakes
- Confusing PKI with just "SSL certificates" without the CA/trust-chain concept
- Not knowing root CAs rarely sign leaf certificates directly
- Forgetting revocation exists (CRL/OCSP) separate from expiration
- Assuming a certificate alone proves the site is trustworthy in every sense, not just identity-bound-to-key
Best Answer (HR Friendly)
“PKI is the whole system behind digital certificates — the trusted organizations, called Certificate Authorities, that verify who someone is before issuing them a certificate proving their identity is linked to their public key. It is what lets your browser trust a website it has never seen before, by checking a chain of signatures back to a small set of root authorities it already trusts, and it also handles pulling the plug on certificates that get compromised.”
Code Example
# Generate a CSR from an existing key pair
openssl req -new -key private.pem -out request.csr -subj "/CN=example.com"
# View the certificate chain a server presents
openssl s_client -connect example.com:443 -showcerts </dev/null
# Verify a certificate against a trusted CA bundle
openssl verify -CAfile ca-bundle.pem server.crtFollow-up Questions
- What is the difference between a root CA and an intermediate CA?
- How does OCSP differ from a Certificate Revocation List (CRL)?
- What happens if a private key behind a certificate is compromised?
- How does certificate pinning relate to PKI trust?
MCQ Practice
1. What entity verifies identity and signs digital certificates in PKI?
A Certificate Authority verifies identity and signs certificates binding a public key to that identity.
2. What does a client validate when checking a certificate chain?
Validation walks the signature chain from the leaf certificate up to a trusted root CA in the trust store.
3. What is the purpose of a Certificate Signing Request (CSR)?
A CSR is submitted to a CA to request a signed certificate binding a public key to an identity.
Flash Cards
What is PKI? — The system of CAs, certificates, and policies that binds public keys to verified identities.
What is a CA? — A trusted third party that verifies identity and signs digital certificates.
What is a chain of trust? — Root CA → intermediate CA → leaf certificate, validated by walking signatures up to a trusted root.
How are certificates revoked early? — Via a Certificate Revocation List (CRL) or the faster Online Certificate Status Protocol (OCSP).