Asymmetric · 08

Public Key Infrastructure

Public keys by themselves are just numbers. They do not say who owns them. PKI is the system of certificate authorities, signatures, and trust roots that lets your browser believe a public key actually belongs to the bank it claims to.

01

The Trust Problem

A public key like 04:bf:e9:... has no identity attached. It is just a sequence of bytes. Anyone can generate a key pair and claim that the public half belongs to your bank. Without some external mechanism to bind the key to a real-world identity, asymmetric crypto solves confidentiality and authenticity in theory but trust nowhere.

Concretely: when you type https://chase.com into your browser, the server hands you a public key. How do you know it is Chase's key and not an attacker's? You have never met Chase. You have no out-of-band channel. The key itself proves nothing about its owner.

PKI answers this with a chain of signatures. Chase's public key comes wrapped in a certificate, signed by an entity your browser already trusts. The browser checks that signature, then checks the signer's certificate, and so on until it reaches a root certificate that came pre-installed in your operating system.

02

A Certificate Is A Public Key With A Signature

An X.509 certificate is a structured document that contains, at minimum:

The signature is the load-bearing field. Anyone with the issuer's public key can verify that the issuer actually issued this certificate. Anyone without the issuer's private key cannot forge a valid signature.

03

The Chain Of Trust

Certificates form a chain because the issuer of a certificate has their own certificate, signed by their issuer, all the way up to a root. Standard chains are three deep:

The two-layer separation between root and intermediate exists so that root private keys can be kept offline in air-gapped HSMs. Day-to-day signing is done by the intermediate, whose key is online and rotated frequently.

Figure 8.1: Three-tier certificate hierarchy Three boxes stacked vertically. At the top, a root certificate authority. In the middle, an intermediate certificate authority signed by the root. At the bottom, a leaf certificate for a specific server, signed by the intermediate. ROOT CA Codex Root CA self-signed · offline HSM signs INTERMEDIATE CA ZZZ Issuing CA online · signs leaf certs signs LEAF CERT zzz-consulting.com pre-installed in OS / browser trust store sent by server in TLS handshake (leaf and intermediate together)
Fig 8.1 · The three-tier hierarchy and what travels over the wire
04

Certificate Chain Explorer

Click each certificate in the chain to see its actual fields. Then click Verify chain to walk from leaf to root, checking each signature in order.

Interactive · Chain Of Trust

Inspect each certificate, then verify the full chain

This is a simulated chain for zzz-consulting.com. Click any card to expand its details. The verification step walks up the chain, confirming that each signature is valid under the next certificate's public key, until it reaches a root in your trust store.

Root · tier 1
Codex Root CA
Self-signed · trust anchor in OS/browser store
\u2713
Intermediate · tier 2
ZZZ Issuing CA
Issued by: Codex Root CA
\u2713
Leaf · tier 3
zzz-consulting.com
Issued by: ZZZ Issuing CA
\u2713
Click a certificate above to inspect its fields, or click "Verify chain" to walk the chain of signatures.
05

When Things Go Wrong: Revocation, CRLs, OCSP, CT

What happens when a private key gets compromised, or a CA accidentally issues a certificate for the wrong domain? The certificate has to be revoked. Several mechanisms try to solve this, with varying degrees of success.

MechanismHow it worksReality check
CRL (Certificate Revocation List)CA publishes a list of revoked serial numbers. Clients download periodically.Lists got huge. Most clients stopped checking them.
OCSP (Online Certificate Status Protocol)Client queries CA in real-time about a specific cert.Adds latency. Failures usually default to "trust anyway" (soft-fail).
OCSP StaplingServer includes a fresh OCSP response in the TLS handshake.Works well when servers are configured for it. Many are not.
CRLite / OneCRLMozilla's compact bloom-filter-based revocation set, pushed via browser updates.Modern attempt to make revocation actually reliable.
Short certificate lifetimesJust expire certificates fast (90 days now, dropping to 47 days in 2029).The pragmatic winner. Let's Encrypt and Apple drove this.
DigiNotar (2011) and the case for Certificate Transparency

The DigiNotar CA was compromised in 2011. The attacker issued more than 500 fraudulent certificates, including one for *.google.com, and used them to perform man-in-the-middle attacks on Gmail users in Iran. The attack was only discovered because a curious user spotted a warning. After DigiNotar, the web community built Certificate Transparency (CT): every certificate issued by a publicly trusted CA must be logged to a public append-only log. Browsers refuse to trust certs without CT proofs. This makes silent misissuance impossible: every cert is publicly auditable.

06

Let's Encrypt and ACME

Until 2015, TLS certificates were a paid product. Domain Validation certs typically cost $50 to $200 per year. This pricing kept HTTPS adoption stuck below 50% of web traffic.

Let's Encrypt, launched in 2015 by ISRG with backing from Mozilla, EFF, Cisco, and Akamai, issues free DV certificates via the ACME protocol (RFC 8555). The certs are valid for 90 days and renewal is fully automated. The math:

The whole flow takes seconds. Combined with renewal automation in Certbot, acme.sh, and Caddy, this drove HTTPS adoption past 95% of page loads by 2024. ACME is one of the most successful protocol designs of the last decade.

07

Alternative Trust Models

The CA model is not the only way to bind keys to identities. A few other patterns: