Secure digital communications have always been a requirement for mission-critical applications and business transactions and communications. That trust hinges on verifying the identity of the individuals and the systems that provided the credentials for that user, system, or device, including Internet of Things (IoT) use cases.
Let’s take a look at how PKI helps verify identities in secure communications, what some of the essential PKI components are as well as some of the complexities involved, and how you can simplify the management of digital certificates with Axway.
A (very) brief history of internet security and the birth of PKI
Remember how sending and receiving data through the Internet started with just http?
Then, when everybody realized that everything can easily be intercepted and used for malicious causes with http, they required all web sites be https so that at least everything wasn’t clear-text and had some encryption.
Identifying the Web Server side is also important so that users know they are going to the right site and not a malicious fake site looking to trick people into giving up their information.
The only cost-effective and secure way to be able to use the Internet for these mission-critical applications and business flows is to implement an enterprise Public Key Infrastructure (PKI).
What is Public Key Infrastructure (PKI)?
Public Key Infrastructure (PKI) is the system of policies, technologies, and certificate authorities that issues, distributes, validates, and revokes the digital certificates used to authenticate people, devices, and software in secure communications. Every certificate binds a public cryptographic key to the verified identity of its holder, so anyone can confirm that a message or transaction really came from who it claims.
This ensures information remains confidential between senders and recipients. This can also ensure that data has not been tampered with, thanks to non-repudiation digital certificates.
PKI helped solve the costly days of direct connection using expensive phone lines that couldn’t keep up with technological improvements.
PKI validates that users have been vetted – much like when you get your driver’s license. In that case, a person must typically show up in person and get verified by showing proper identification.
They need a passport, birth certificate with raised seal only, perhaps other requirements… A good example in government is what clearance level a user can have – Secret, Top Secret, or Sensitive Compartmented Information (SCI).
You can deploy an enterprise PKI to manage these users and their access to systems, thanks to a user’s PKI certificate containing attributes that describe their roles and access levels.
The other key to securely and properly deploying PKI is to store keys on smart cards – much like your bank card.
It isn’t possible to export the private key off the smart card, so it is a protected and secure way of doing business.
Breaking down essential PKI components
Within a public key infrastructure, several tools and technologies support secure communications.
At PKI’s core, you have public and private keys. Openly shared, the public key encrypts and authenticates a sender’s message. The message can only be decrypted and read by the holder of the private key, which is kept secret.
Digital certificates link a public key to a private key holder’s identity. Issued by a Certificate Authority (CA), these certificates function like a driver’s license or passport, ensuring parties involved in the communication are who they claim to be.
The CA can also act as the Registration Authority (RA). The RA verifies the certificate requester’s credentials and identity before the CA issues a digital certificate.
When a certificate has been revoked or is no longer valid, it’s added to the Certificate Revocation List (CRL). Maintained by the CA, the CRL ensures that no compromised or outdated certificates are trusted or used.
PKI components at a glance
The table below summarizes each PKI component, what it does, and the closest real-world analog so the moving parts are easier to keep straight.
| Component | Role | Real-world analog |
|---|---|---|
| Public key | Encrypts messages and verifies signatures; shared openly | A padlock anyone can use to lock a box for you |
| Private key | Decrypts messages and creates signatures; kept secret by the owner | The only key that opens that padlock |
| Digital certificate | Binds a public key to a verified identity (person, device, server) | A driver’s license that proves the photo matches the name |
| Certificate Authority (CA) | Issues digital certificates and stands behind their trustworthiness | The licensing department that vouches for the license |
| Registration Authority (RA) | Vets the certificate requester’s identity before the CA issues anything | The clerk who checks your documents before printing the license |
| Certificate Revocation List (CRL) | Lists certificates the CA has invalidated before their expiry | A revoked-license registry that police can check |
| Online Certificate Status Protocol (OCSP) | Real-time, per-certificate status check (alternative to CRL polling) | A live phone check with the licensing department |
How PKI fits into the modern digital infrastructure
Public key infrastructure has become a baseline trust service for any organization moving sensitive data over the internet. It assures both sides of a transaction that the other party is who they claim to be, which matters more every year as data breach costs climb and regulators tighten audit requirements.
The IBM Cost of a Data Breach Report 2025 puts the average breach at $4.44 million, down from $4.88 million in 2024 as AI-driven defenses begin to offset slower-rising attack costs. The risk and the cost remain high enough that strong authentication, like a well-run PKI, pays for itself the first time it prevents an incident.
Amid these growing security concerns, PKI applications have started to extend beyond the Department of Defense (DoD) and federal government. Industries ranging from financial services to healthcare have taken an interest in using PKI to safeguard sensitive information and preserve trust in digital communications.
That said, most PKI use cases continue to come from the DoD and the federal government. One hang-up: deploying and managing a PKI is complex.
What makes PKI deployment and management complex
As we’ve discussed, digital certificates play a critical role in the PKI infrastructure. Issuing and managing these certificates is one of the more complex aspects of PKI.
At the outset, IT teams must ensure the Certificate Authority is properly linked to cryptographic keys. While critical for establishing trust, this process involves strict checks and balances that can consume IT resources.
See also: Deploying an OCSP architecture with high availability
Once the certificates are established, it becomes a matter of maintaining them. Part of this includes keeping track of certificates’ expiration dates.
If an organization fails to renew certificates before they expire, users encounter security warnings. These messages erode trust or have their access blocked.
In one report, 81% of organizations said they experienced at least two outages due to expired certificates in the past two years. The lack of valid certificates can also hinder the security of encrypted communications and lead to compliance issues when an audit is conducted.
If a PKI certificate is compromised, IT teams must quickly notify the Certificate Authority to revoke it and issue a new one. Any delays in this process can increase the risk of network vulnerabilities.
When issuing the new certificate, IT teams need to ensure that the certificates are properly propagated and integrated to prevent security gaps.
How PKI compares to SSL, TLS, and what comes next
A common point of confusion is whether PKI and SSL or TLS are the same thing. They are not, and the distinction matters.
PKI is the broader trust framework that issues and manages digital certificates and the keys they hold. SSL (now deprecated) and its successor TLS are the protocols that use those certificates to encrypt data while it travels between a client and a server. In other words, every HTTPS connection in a browser is TLS on the wire, and TLS depends on a certificate that a PKI somewhere issued and stands behind. PKI also secures email (S/MIME), code signing, smart-card login, device identity for IoT, and document signatures, none of which travel over a TLS handshake.
The next wave of PKI is post-quantum readiness. NIST finalized its first post-quantum cryptography standards in 2024, and standards bodies are now defining how digital certificates will carry quantum-resistant signatures alongside today’s RSA and ECC keys. Organizations running large certificate footprints should plan for hybrid certificates and crypto-agility, so that a future protocol change does not require re-issuing every certificate at once.
Simplifying the management of digital certificates
Axway Validation Authority (VA) provides real-time validation of digital certificates. For organizations with a large certificate footprint, the out-of-the-box solution scales to millions of certificates without per-certificate operational overhead.
With Axway VA, IT teams can look up digital certificates in less time. And the faster IT personnel can look up certificates, the less room there is for latency issues.