What is a PKI and what this is for?

Nowadays it is highly recommendable, or in other words, rather necessary, to think in terms of security, if we want to be protected from cybercrime in the network and avoid placing our identity, information and data at stake, and from Realsec we facilitate these steps
To achieve an adequate level of protection, we can make use of some actions; one of them is, without a doubt, the encryption asymmetric or public key, which is a security technology based on the use of a pair of keys (public and private) generated by the RSA algorithm, that makes up what we call a Digital Certificate.
Digital certificates allow us to operate with confidence in the digital ecosystem. With certificates we can encrypt, sign or authenticate us digitally and they help us to ensure the confidentiality, integrity and non-repudiation in electronic transactions.
When you make use of this security technology, it is important to take into account that the private key of our certificates is our key and/or our own signature and as it happens in the physical world, we must protect it and keep it in a safe environment.
On the other hand, public keys, as its name suggests, can be exposed so that our encrypted messages can be decrypted by their receiver.
Moreover, for the digital certificates to be considered reliable, it is necessary have them issued by a reliable Certification Entity that has a Public Key Infrastructure (PKI) standard.
This way, we can consider a Provider of Accredited Certification Services as reliable as our own company, if the certificates that are being issued have used a proper PKI infrastructure.


A PKI (Public Key Infrastructure) is a set of components and services that facilitate and enable to manage and administer the generation, issuance, revocation and validation of digital certificates.
In short, it is an infrastructure of trust whose settings can be integrated in the following components:

  1. A Certification Authority, also known as CA, which is the trust component of issuing certificates and that determines its validity in time.
  2. A Registration Authority, also known as RA, component that acts as an “interface” between the user and the Certification Authority to issue and/or revoke certificates.
  3. A Validation Authority, also known as VA, that centralizes, organizes and manages the list of certificates issued, revoked and expired, making this information available to users so they can verify and validate the status.

It is recommended that the software components of PKI are integrated with cryptographic devices or HSMs (Hardware Security Module) and that they interact with these ones in the processes of generation, storage and custody of the RSA asymmetric keys of the certificates issued, renewed or revoked by the PKI infrastructure. In the same way, it is recommended that the HSMs integrated with PKI, have an adequate level of certification, such as certification FIPS 14-2 level 3 oCOMMON CRITERIA EAL-4+.


PKI infrastructure allows you to generate a variety of certificates and the type is associated with the personality of those who hold them and their usability.
In general and based on the personality of the carrier, we can classify digital certificates in 4 different types:

  • Certificates of individual person: identify and represent a single individual person.
  • Certificates of legal person: identify an individual person with the capacity to represent a legal person or company.
  • Certificates of entity representative: identify a person who acts on behalf of an entity that does not have legal personality.
  • Certificates of Public Administration: identify a Public Agency.

Similarly, we can say that according to its usability, the certificates serve to carry out basically three functions: Authenticate, Sign and Encrypt.
According to that, it is possible to have Authentication Digital Certificates: of identity, of SSL Server, of S/MIME, of Web Server, etc.
Also, it is possible to make use of the Signing Certificates to: digitally sign documents and/or contracts in various formats, sign the e-mail, determine the time in which a digital signature has been made by using a certificate of Time Stamping, etc.
Finally, we can make use of encryption certificates to: encrypt files and documents, encrypt messages, email, etc.
Summing up, asymmetric encryption or public key in which one digital certificates are based on are a magnificent instrument of prevention against crime if we want to reduce the risks to which all users of the network are exposed today.

  • Posted at 23:13, 28/10/2020

    Hi, i have a question: how to know if a certificate is for personal signing or for web server?

    • Ana Sánchez
      Posted at 12:24, 29/10/2020

      REALSEC team is making contact with you for more information.

Post a Comment