Skip to main content
Informationssicherheit / NIS2

Public key infrastructure

A public key infrastructure (PKI) is the organisational and technical system for generating, distributing, managing and revoking digital certificates and cryptographic keys based on chains of trust.

A public key infrastructure (PKI) brings together the processes, roles, policies and technical components used to manage digital certificates throughout their entire lifecycle. At its heart lies asymmetric cryptography: each key pair consists of a public and a private key, and a trusted certification authority (CA) binds the public key to an identity in a legally meaningful way via a signed X.509 certificate. A PKI thereby enables authenticity, integrity, confidentiality and non-repudiation for communication, signatures and encryption.

The trust model rests on hierarchical chains of trust: a root CA acts as the trust anchor and signs subordinate intermediate certification authorities (sub-CAs), which in turn issue end-entity certificates. Key building blocks are the registration authority (RA) for identity verification, a directory service that publishes certificates, and revocation mechanisms such as the certificate revocation list (CRL) and the Online Certificate Status Protocol (OCSP). The relevant procedures are formally defined in a certificate policy (CP) and a certification practice statement (CPS).

In the context of information security, a PKI is a central tool for implementing protection objectives and access control. It underpins TLS-secured connections, qualified electronic signatures under the eIDAS Regulation, S/MIME email encryption and certificate-based authentication in zero-trust architectures. The BSI IT-Grundschutz framework and ISO/IEC 27001 require managed key handling, and a PKI operationalises this requirement. The protection of private keys is critical and is often achieved using hardware security modules (HSM), together with end-to-end lifecycle management from issuance to revocation.

Legal Basis

Regulation (EU) No 910/2014 (eIDAS); ISO/IEC 27001 Annex A; BSI IT-Grundschutz module CON.1 (cryptographic concept)

Practical Example

An information security officer at a mid-sized machinery manufacturer introduces an internal PKI to secure machine-to-machine communication and remote access for service technicians. In the certificate policy he specifies that the root CA private key is kept exclusively offline in an HSM, that device certificates have a maximum lifetime of one year and are checked via OCSP. When a technician's laptop is stolen, he immediately revokes the associated certificate through the revocation list, so that the access becomes unusable at once despite the still-valid credentials.

FAQ

A certificate is a single signed record that binds a public key to an identity. The PKI is the overarching system of certification authorities, registration authorities, policies and revocation mechanisms that issues, distributes, validates and revokes such certificates across their entire lifecycle.
Revocation is handled via certificate revocation lists (CRL) or the Online Certificate Status Protocol (OCSP). As soon as a certificate is compromised or an identity ceases to exist, it is marked as revoked so that verifying systems reject it even though its expiry date has not yet been reached.
Neither standard mandates a specific product, but both require managed key handling and the appropriate use of cryptography. A PKI is the common and proven way to meet these requirements for key management, chains of trust and access control.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Cryptography Key management Encryption Zero trust architecture Identity and access management
Back to Glossary