Every digital certificate, every TLS handshake, every digital signature depends on a pair of mathematically linked keys. Understanding how public and private keys work is essential to understanding how trust is built online.
Imagine a special mailbox on your front porch. It has a slot that anyone on the street can drop a letter into. That slot is always open, always visible, and everyone knows where it is. But the mailbox itself is locked, and only you have the key to open it and read what's inside. No matter how many people drop letters in, only you can retrieve them.
This is the basic idea behind public and private keys. The mail slot is your public key, freely shared, openly available, used by anyone who wants to send you encrypted data. The key to open the mailbox is your private key, kept secret, never shared, and the only thing that can decrypt what was encrypted with the public key.
This concept, called asymmetric cryptography, was first proposed publicly in 1976 by Whitfield Diffie and Martin Hellman. It solved one of cryptography's oldest problems, how to exchange secrets securely without needing a pre-shared key, and it remains the foundation of everything from HTTPS to email encryption to digital certificates.
When someone wants to send you confidential data, they encrypt it with your public key. The resulting ciphertext can only be decrypted by your private key. Even the sender cannot reverse the encryption. Only the holder of the private key can.
The relationship works in reverse for signatures. You sign data with your private key, and anyone with your public key can verify that the signature is authentic. This proves both your identity and that the data hasn't been tampered with.
In protocols like TLS, key pairs are used to negotiate a shared session key. The asymmetric keys handle the initial, secure exchange; then a faster symmetric algorithm takes over for the bulk data encryption. This hybrid approach gives you the best of both worlds.
RSA keys of 2048 bits are the current industry minimum. Many organizations now default to 4096 bits for root and intermediate CA keys, providing a larger security margin as computational power increases.
Elliptic Curve keys achieve equivalent security with much shorter lengths. A 256-bit ECC key (P-256 curve) offers security comparable to a 3072-bit RSA key. A 384-bit ECC key matches roughly 7680-bit RSA.
Key generation requires a source of high-quality randomness (entropy). Poor randomness (from flawed hardware, buggy software, or predictable seeds) can produce keys that appear strong but are actually guessable. This is one of the most common silent vulnerabilities in cryptographic systems.
Both RSA and ECC are vulnerable to future quantum computers running Shor's algorithm. Post-quantum algorithms use different mathematical structures (lattices, hash-based schemes) and will require different key sizes entirely.
Inventory every key — Evertrust CLM discovers all certificates and maps the associated key algorithms, lengths, and storage locations. You get a complete picture of your cryptographic posture, including keys that fall below your security standards.
Enforce key policies — Define minimum key lengths, approved algorithms, and mandatory HSM usage for specific certificate types. Evertrust PKI enforces these policies at enrollment time, preventing weak keys from ever being issued.
Automate key rotation — When certificates are renewed or re-keyed, Evertrust automates the generation of new key pairs and the deployment of updated certificates, reducing the risk of key reuse and human error.
Respond to compromise fast — If a key is suspected compromised, Evertrust enables immediate revocation and automated re-issuance across all affected systems, minimizing the window of exposure.
