Public Key Infrastructure (PKI ) consists of software and hardware elements for building a hierarchy of trust to securely and privately exchange the information over public unsecure networks.
PKI is using mathematically related key pairs to encrypt and decrypt information (asymmetric encryption). It is is usually used for data encryption (e.g., with SSL certificates, for sending authenticated and encrypted email messages, secure instant messaging, ...), for digital signing and for enterprise grade authentication solutions or single sign-on, while a trusted third party establishes the integrity and ownership of the used public keys.
Key pairs for asymmetric encryption consist of a cryptographic private key and a cryptographic public key. Both keys are mathematically related. Information can be encrypted using the public key only, but decryption requires both, the public key and the private key. When using asymmetric encryption, public keys will be distributed to and shared with communication partners (peers), while private keys must remain with their owners and must never be shared with anyone else. This still poses the risk, that public keys are intercepted and altered by third-parties, while being distributed using unsecure networks.
PKI addresses this risk and ensures, that distributed public keys really belong to the intended peers. This is achieved by using a trusted third party, the certificate authority (CA). The certificate authority typically checks the identity of the key owner (subject) and then issues the key pair to the key owner, whereas private keys usually are provided as key files, on smart cards or on USB tokens, and public keys in form of public key certificates. A public key certificate is binary data containing the public key and information about the subjects' identity, which has been signed (encrypted) by the certificate authority itself. The most commonly used standard for robust public key certificates is X.509; the most common certificate formats are the binary form DER or the textual representation PEM .
The certificate authority shares the public key certificates (e.g., in form of a searchable certificate database on its websites) and maintains certificate revocation lists (CRLs). The revocation lists allow peers to verify the status of public key certificates. This way, peers can always check the validity and status of public key certificates, whether the person or system identified as sending the information really is the originator, that the person or system receiving the information is the intended recipient, and that the information has not been compromised between originator and recipient.