In the physical world, we use signatures and ID cards. In the digital world, we use Private Keys and Certificates. PKI (Public Key Infrastructure) is the system of "Certificate Authorities" (CAs) that issue these digital IDs. Without PKI, the internet would be anonymous and untrusted.
Signing vs Encrypting
Encryption (Secrecy): Encrypt with Public, Decrypt with Private.
Signing (Authenticity): Encrypt Hash with Private, Verify with Public.
Only YOU have the private key, so only you could have created a signature that the public key validates.
1. The X.509 Certificate
A digital passport. It contains:
1. Subject: CN=google.com, O=Google LLC
2. Public Key: The actual key data.
3. Issuer: CN=GTS CA 1C3
4. Signature: The Issuer signs the whole blob with their Private Key.
2. Chain of Trust
Why does your browser trust Google's certificate?
1. Browser trusts Root CA (built-in to Windows).
2. Root CA signs Intermediate CA.
3. Intermediate CA signs Google's Certificate.
This allows Root CAs to keep their keys offline in a safe (HSM), while Intermediates do the daily work.
3. Revocation
What if a hacker steals Google's Private Key?
CAs publish a CRL (Certificate Revocation List)—a list of "banned" serial numbers.
OCSP (Online Certificate Status Protocol): A real-time check. "Hey CA, is Serial #12345 still good?"
4. Trust Issues (CAs)
If a Root CA is compromised (e.g., DigiNotar in 2011), the hacker can issue valid certificates for ANY domain (Google, CIA, etc.).
Certificate Transparency (CT): A public log of every cert issued. If a rogue cert appears, monitors detect it instantly.
Self-Signed Certs
You can act as your own CA.
openssl req -x509 -newkey rsa:4096 ...
Browsers will show a "Security Warning" because they don't know you. But the encryption is just as strong mathematically.