Public key infrastructure (PKI) includes the various components involved in setting up and managing public key encryption. This encryption enables secure communication between clients and servers through authentication, while also securing internal communications to avoid man-in-the-middle tampering. It's pivotal in powering HTTP communication over SSL/TLS.
PKI can include a mixture of combined parts and strategies that strengthen an organization's overall security posture:
Hardware (phones, tablets, laptops, desktops, servers, etc.)
Software (certificate authorities, registration authorities, databases, storage directories)
Security policies
Security procedures
PKI is vital to securing communication across the internet and thwarting bad actors attempting to impersonate legitimate users. While authentication is critical, upholding privacy is also a key tenet of public key infrastructure.
How does public key infrastructure (PKI) work?
PKI relies on a number of mechanisms to provide ample protection while verifying that users are who they say they are. This trust is established by exchanging digital certificates and corresponding public keys when communication is first established.
Both the client and server use this public key, which is typically stored on the server, within a vendor's hardware secure module (HSM), and within a dedicated management application or file on the user's machine. However, some PKIs also leverage private keys, which are kept secret, in conjunction with private keys. These private keys aren't always required but they do allow for decryption on the recipient's machine.
These private and public key pairings are encrypted using a number of complex algorithms (such as RSA and elliptic curve cryptography)—each offering varied levels of hardening. RSA specifically unlocks asymmetric encryption measures that rely on both public and private keys to encrypt messages. However, the corresponding key on the recipient's end will unscramble any secure messages to make them human-readable.
Core components of public key infrastructure (PKI)
PKI includes (but isn't limited to) the following:
Certificate authority (CA) – A trusted entity that issues, stores, and signs digital certificates. A certificate authority will typically sign a certificate using its private key before publishing an accessible public key.
Registration authority (RA) – Verifies the client's identity following a digital certificate request. The RA and CA can be the same verification entity, or the RA can be a third party.
Certificate database – Stores the digital certificates and any associated metadata, including expiry dates
Directory – A central location where keys are registered and stored
Certificate management system – Oversees certificate allocation and access
Certificate policy – A published set of guidelines and codes of conduct that outlines PKI behaviors. External users can evaluate this information to gauge how trustworthy the PKI entity is.
As part of this, a certificate authority can vouch for a given digital entity to build trust. The digital certificates we've mentioned are occasionally called PKI certificates, and sometimes X.509 certificates. X.509 is a standardized format for public key certificates that has seen multiple revisions since 1988, while supporting SSL/TLS/HTTPS encryption, client authentication S/MIME email encryption, code and document signing, and electronic ID issuance.
Finally, a digital certificate itself has many components that highlight its functionality, trustworthiness, and transparency for the user:
Owner name (or distinguished name)
The owner's public key
Issue date
Expiration date
The CA's name
The issuer's digital signature
While closed-source PKI options are out there, many trustworthy and affordable (or free) open source services are available. OpenSSL and Let's Encrypt are two of the biggest names in the industry, but numerous alternatives from various organizations support a wide range of internal and external use cases (such as CA service establishment, tool creation, certificate lifecycle management, and more).
Where does HAProxy fit within an organization's public key infrastructure (PKI)?
HAProxy Enterprise, HAProxy Enterprise Kubernetes Ingress Controller, and HAProxy ALOHA support multiple functions that contribute to a secure-and-robust PKI. We can redirect requests or generate other custom responses for expired certificates (apart from standard blocking), easily fetch information on request rates and certificates based on certificate serial number, and control which domains require mTLS on the same IP.
HAProxy Enterprise also enables zero-trust mTLS automation and automated TLS certificate management. To learn more about HAProxy and PKI, check out our blog posts on HAProxy and Let’s Encrypt: Improved Support in acme.sh or Zero-Trust mTLS Automation with HAProxy and SPIFFE/SPIRE.
