PKI
Knowledge Base

Definition

The science of securing information by transforming it into an unreadable format using mathematical algorithms, ensuring confidentiality, integrity, and authenticity of data.

Usage

Used as the foundation for all secure digital communications, including encrypted messaging, secure web browsing, and digital signatures.

Definition

An encryption method where the same secret key is used for both encrypting and decrypting data, offering fast performance for bulk data protection.

Usage

Used for encrypting large volumes of data at rest or in transit, such as database encryption, file encryption, and VPN tunnels.

Definition

An encryption method using a mathematically linked key pair -a public key for encryption and a private key for decryption -enabling secure communication without shared secrets.

Usage

Used in PKI for digital signatures, certificate-based authentication, secure key exchange (e.g., TLS handshake), and encrypted email.

Definition

A cryptographic key used for encrypting data or verifying digital signatures, paired with a private key.

Usage

Used to encrypt sensitive data and validate signatures in PKI frameworks for secure transactions.

Definition

A confidential cryptographic key used to decrypt data or create digital signatures for secure operations.

Usage

Used to decrypt information encrypted with a public key or sign data for authentication purposes.

Definition

A set of cryptographic keys (public and private) used together for encryption, decryption, and digital signatures.

Usage

Used for asymmetric encryption where data encrypted with one key is decrypted with the other.

Definition

A cryptographic mechanism that uses a private key to sign data, allowing anyone with the corresponding public key to verify the signer's identity and data integrity.

Usage

Used to authenticate the origin of documents, software, emails, and transactions, providing non-repudiation and tamper detection.

Definition

A one-way cryptographic function that converts data of any size into a fixed-length string (hash), used for integrity verification and password storage.

Usage

Used for verifying file integrity, storing passwords securely, generating certificate fingerprints, and building digital signatures.

Definition

A framework managing digital keys and certificates to secure data and verify identities in secure communications.

Usage

Used for securing transactions, encrypting data, and verifying user identities in digital environments.

Definition

A digital file linking a public key to an identity, ensuring authenticity in secure communications.

Usage

Used to verify server, user, or device identities in encrypted communications and data exchanges.

Definition

A trusted entity that issues and manages digital certificates for verifying identities in secure communications.

Usage

Used for validating identities and ensuring trust within a PKI by issuing digital certificates.

Definition

An entity that verifies the identity of certificate requesters before the Certificate Authority issues a certificate, acting as a gatekeeper in the PKI trust model.

Usage

Used in enterprise PKI to delegate identity verification, enforce enrollment policies, and streamline certificate issuance workflows.

Definition

A PKI component responsible for providing real-time certificate status information, typically via OCSP or CRL distribution, to relying parties.

Usage

Used to check whether a certificate has been revoked or is still valid, enabling trust decisions in real time.

Definition

A top-level certificate that establishes trust in a PKI hierarchy and signs other certificates.

Usage

Used as the foundation of trust to validate certificates issued within a PKI structure.

Definition

A certificate issued by a root CA to sign other certificates and extend trust within a PKI.

Usage

Used for extending trust from the root certificate to additional end-entity certificates.

Definition

The international standard (ITU-T) defining the format of public key certificates, including fields like subject, issuer, validity period, and extensions used across PKI systems.

Usage

Used as the universal format for TLS/SSL certificates, email certificates, code signing certificates, and any PKI-based identity verification.

Definition

The hierarchical sequence of certificates -from an end-entity certificate through intermediate CAs up to a trusted root CA -that allows relying parties to verify authenticity.

Usage

Used by browsers, applications, and devices to validate that a certificate was issued by a trusted authority before establishing a secure connection.

Definition

An open framework of public, append-only logs that record all issued TLS certificates, enabling domain owners and the public to detect misissued or rogue certificates.

Usage

Used to monitor certificate issuance for your domains, detect unauthorized certificates, and improve overall trust in the web PKI ecosystem.

Definition

A list of revoked certificates that should no longer be trusted within a PKI system.

Usage

Used for identifying invalid certificates to prevent security breaches.

Definition

A protocol for real-time validation of a certificate's revocation status without downloading full CRLs.

Usage

Used for real-time validation of certificate status in secure web transactions.

Definition

A digital certificate that authenticates a server's identity and enables encrypted connections between a client (browser) and a server using the TLS protocol.

Usage

Used on websites and web applications to enable HTTPS, protecting user data in transit and establishing trust with visitors.

Definition

A certificate used to digitally sign and encrypt email messages, ensuring sender authenticity and message confidentiality using the S/MIME standard.

Usage

Used in enterprise email to prevent phishing, guarantee sender identity, and protect sensitive communications from interception.

Definition

A certificate used by software developers to digitally sign executables, scripts, and packages, proving the code's origin and integrity.

Usage

Used to build user trust in downloaded software, satisfy OS security requirements, and prevent tampering with distributed code.

Definition

A digital certificate installed on a user's device or application that proves the client's identity to a server during a TLS handshake, enabling mutual authentication.

Usage

Used for strong user authentication in VPNs, corporate networks, APIs, and zero-trust architectures as an alternative or complement to passwords.

Definition

A certificate embedded in or provisioned to an IoT device or connected endpoint, establishing its unique identity and enabling secure machine-to-machine communication.

Usage

Used to authenticate devices on networks, secure firmware updates, encrypt telemetry data, and prevent unauthorized devices from connecting.

Definition

A TLS certificate that secures a domain and all its single-level subdomains using a wildcard character (*) in the Common Name or SAN field (e.g., *.example.com).

Usage

Used to simplify certificate management when many subdomains share the same server, reducing the number of certificates to manage.

Definition

A cryptographic protocol that provides end-to-end encryption, authentication, and data integrity for communications over a network, succeeding SSL.

Usage

Used to secure web traffic (HTTPS), email, VoIP, instant messaging, and virtually all modern internet communications.

Definition

An extension of TLS where both the client and server authenticate each other using certificates, establishing bidirectional trust.

Usage

Used in zero-trust architectures, service mesh communications, API security, and any scenario where both parties must prove their identity.

Definition

The Automatic Certificate Management Environment protocol, standardized in RFC 8555, that automates certificate issuance, renewal, and revocation between a CA and a server.

Usage

Used by Let's Encrypt and enterprise CAs to fully automate TLS certificate provisioning, eliminating manual certificate management tasks.

Definition

A protocol designed for scalable certificate enrollment, originally developed by Cisco, allowing devices to request and receive certificates from a CA automatically.

Usage

Used primarily for MDM (Mobile Device Management) and network device certificate enrollment in enterprise environments.

Definition

A modern certificate enrollment protocol (RFC 7030) that uses HTTPS as its transport, providing a simpler and more secure alternative to SCEP for certificate management.

Usage

Used for automated certificate enrollment in enterprise and IoT environments where a modern, standards-based enrollment protocol is required.

Definition

A comprehensive certificate management protocol (RFC 4210) supporting the full certificate lifecycle including enrollment, renewal, revocation, and key update, widely used in telecom.

Usage

Used in telecommunications (3GPP/5G), industrial systems, and enterprise PKI deployments requiring a full-featured, standards-based management protocol.

Definition

A TLS extension where the server obtains a time-stamped OCSP response from the CA and 'staples' it to the TLS handshake, so the client doesn't need to contact the CA directly.

Usage

Used to improve TLS connection performance and user privacy by reducing the need for clients to make separate OCSP requests to the CA.

Definition

The end-to-end process of managing digital certificates from initial request and issuance through renewal, revocation, and replacement across an organization's infrastructure.

Usage

Used by security teams to maintain visibility and control over all certificates, prevent outages from expired certificates, and ensure compliance with security policies.

Definition

The automated process of scanning networks, endpoints, cloud environments, and certificate stores to find all deployed certificates, including unknown or unmanaged ones.

Usage

Used as the first step in gaining visibility over your certificate landscape, identifying shadow certificates, and building a complete inventory.

Definition

A centralized, up-to-date repository of all digital certificates within an organization, including metadata such as issuer, expiry date, key strength, and deployment location.

Usage

Used by IT and security teams to track certificate sprawl, plan renewals, identify compliance gaps, and prevent outages caused by expired certificates.

Definition

The process by which an entity (user, server, or device) requests and obtains a digital certificate from a Certificate Authority, involving identity verification and key generation.

Usage

Used whenever a new certificate is needed -for a new server, employee, device, or application -following organizational policies and approval workflows.

Definition

The process of replacing an expiring certificate with a new one, typically preserving the same identity and key pair or generating a new key, before the current certificate expires.

Usage

Used to maintain uninterrupted secure services by replacing certificates before they expire, following an automated or scheduled renewal process.

Definition

The act of permanently invalidating a certificate before its scheduled expiry date, typically due to key compromise, employee departure, or policy change.

Usage

Used when a certificate can no longer be trusted -after a security incident, staff change, or system decommissioning -to prevent unauthorized use.

Definition

The use of software tools and protocols to automatically handle certificate issuance, renewal, deployment, and revocation without manual intervention.

Usage

Used to scale certificate management across large environments, reduce human error, prevent outages, and keep pace with shorter certificate lifetimes.

Definition

The set of organizational rules, standards, and procedures governing how certificates are issued, used, managed, and retired within an enterprise.

Usage

Used to enforce security standards, comply with regulations (eIDAS, NIS2, DORA), define approval workflows, and maintain audit trails for certificate operations.

Definition

A dedicated, tamper-resistant physical device that generates, stores, and manages cryptographic keys in a highly secure environment, certified to standards like FIPS 140-2/3.

Usage

Used to protect the most sensitive keys in a PKI -especially CA signing keys -from extraction or unauthorized access, meeting regulatory requirements.

Definition

The digital credentials (certificates, keys, tokens) that uniquely identify and authenticate machines, applications, containers, and services in a network.

Usage

Used to establish trust between machines in service meshes, cloud-native architectures, APIs, and DevOps pipelines where human-based authentication is impractical.

Definition

The ability of an organization's systems and infrastructure to rapidly switch between cryptographic algorithms and key sizes without significant operational disruption.

Usage

Used to prepare for algorithm deprecation (e.g., SHA-1 sunset), emerging threats (e.g., quantum computing), and evolving compliance requirements.

Definition

A security property ensuring that the sender of a message or signer of a document cannot deny having performed the action, typically achieved through digital signatures.

Usage

Used in legal, financial, and regulatory contexts to provide irrefutable proof of authorship, approval, or transmission of digital documents and transactions.

Definition

A service disruption caused by an expired, misconfigured, or revoked certificate that prevents TLS connections, authentication, or other certificate-dependent operations from functioning.

Usage

Represents one of the most common yet preventable causes of downtime, impacting websites, APIs, payment systems, and internal services worldwide.

Definition

A certificate deployed within an organization's infrastructure that is unknown to the security team -often self-signed, issued by unauthorized CAs, or provisioned outside approved processes.

Usage

Represents a significant security risk as unmanaged certificates can expire unexpectedly, use weak cryptography, or create untrusted entry points.

Definition

A security technique where an application is configured to accept only specific certificates or public keys for a given server, rejecting any other valid certificate.

Usage

Used in mobile apps and critical services to prevent man-in-the-middle attacks even if an attacker has a valid certificate from a compromised or rogue CA.

Definition

The practice of periodically replacing cryptographic keys with new ones to limit the exposure window if a key is compromised and to comply with security policies.

Usage

Used as a security best practice for all types of keys -TLS, signing, encryption -with rotation frequency determined by risk assessment and compliance requirements.

Definition

A trusted third-party service that cryptographically proves that a piece of data (document, signature, transaction) existed at a specific point in time.

Usage

Used in code signing, legal document management, and regulatory compliance to prove when a digital signature was created, even after the signing certificate expires.

Definition

A new generation of cryptographic algorithms designed to be secure against attacks from both classical and quantum computers, standardized by NIST to replace vulnerable algorithms.

Usage

Used to future-proof encryption and digital signatures against the threat of quantum computers capable of breaking RSA and ECC-based cryptography.

Definition

An attack strategy where adversaries intercept and store encrypted data today with the intention of decrypting it in the future when sufficiently powerful quantum computers become available.

Usage

Represents the primary near-term threat from quantum computing, particularly for data that must remain confidential for years or decades (state secrets, health records, IP).

Definition

A lattice-based digital signature scheme selected by NIST as the primary post-quantum standard for digital signatures (FIPS 204), designed to replace RSA and ECDSA signatures.

Usage

Will be used for certificate signing, code signing, document signing, and all applications currently relying on RSA or ECC-based digital signatures.

Definition

A lattice-based key encapsulation mechanism selected by NIST as the primary post-quantum standard for key exchange (FIPS 203), designed to replace Diffie-Hellman and ECDH.

Usage

Will be used in TLS handshakes and other key exchange protocols to establish shared secrets securely, even against quantum adversaries.

Definition

A quantum computing algorithm discovered by Peter Shor in 1994 that can efficiently factor large integers and solve discrete logarithm problems, threatening RSA and ECC cryptography.

Usage

Represents the theoretical basis for why current public-key cryptography (RSA, ECC, DH) will become insecure once large-scale quantum computers are available.