What is Public Key Infrastructure (PKI)?

The Chain of Trust

When you visit a banking website, how do you know you aren't connecting to an attacker's fake server? PKI relies on Centralized Certificate Authorities (CAs).

Your operating system ships with pre-installed root certificates. Browsers verify that the website's digital certificate was directly signed by one of these highly-guarded, trusted root authorities.

Certificate Expiration & Revocation

Certificates aren't permanent. They have strict built-in expiration dates (typically 90 days for modern setups like Let's Encrypt). If a server is hacked before the 90 days, the CA uses OCSP (Online Certificate Status Protocol) or CRL (Certificate Revocation Lists) to broadcast to the world that the certificate is instantly terminated.

Everyday Example

How do you know a police officer is real? Because they have a badge. How do you know the badge is real? Because the Mayor issued it. How do you know the Mayor is real? Because the Governor swore them in. In PKI, your computer is born already trusting the 'Governor' (the Root CA), allowing it to trust the entire chain all the way down to the website's 'badge'.

The Deep Mathematics

An X.509 certificate recursively binds a distinguished subject name to a cryptographic public key payload via an RSA/ECDSA signature mapped by an Issuer. The verifier traverses the chain applying signature verification H(cert_i) == Decrypt(IssuerPub, signature_i) sequentially until encountering a pre-trusted self-signed root anchor residing securely within the OS trust store.