Public Key Infrastructure (PKI)
Complete Notes + Real-Life Examples + Diagrams + Practical Lab Code (Perfect for University Exams, Interviews & Certifications – 2025 Updated)
Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI)
Complete Notes + Real-Life Examples + Diagrams + Practical Lab Code
(Perfect for University Exams, Interviews & Certifications – 2025 Updated)
What is PKI in One Line?
PKI is the complete ecosystem that allows you to trust public keys of strangers
(Google, your bank, WhatsApp, Elon Musk, Indian Government) using Digital Certificates and trusted authorities.
Real-Life Examples You Use Every Day
| Website / App | PKI Component You See/Use | Who issued the certificate? |
|---|---|---|
| https://google.com | Padlock → “DigiCert” or “Google Trust Services” | DigiCert / Google Trust Services |
| netbanking.hdfcbank.com | “Valid certificate – Issued to HDFC Bank” | Entrust / Sectigo |
| WhatsApp E2E verification | Safety number → uses Signal Protocol + X.509-like | Signal’s own PKI |
| Aadhaar eSign | USB token + certificate issued by licensed CA | CCA licensed CAs (e.g., eMudhra) |
| Windows Update | Microsoft-signed drivers (.cat files) | Microsoft Root CA |
| Apple iOS App Store | Developer certificate + Apple Root CA | Apple |
Core Components of PKI (Exam Table)
| Component | Role | Real Example |
|---|---|---|
| End Entity (EE) | Person/device that owns the key pair | Your browser, bank server |
| Certificate Authority (CA) | Trusted organization that issues certificates | DigiCert, Let’s Encrypt, CCA India |
| Registration Authority (RA) | Verifies identity before CA issues certificate | Bank branch, eMudhra office |
| Certificate Repository | Public directory where certificates are stored (LDAP, HTTP) | crt.sh, Google Transparency |
| Certificate Revocation List (CRL) / OCSP | List of cancelled certificates | crl.website.com or ocsp.digicert.com |
| Root CA | Ultimate trust anchor – pre-installed in OS/browser | DigiCert Global Root, ISRG Root X1 |
| Intermediate CA | Signs end-user certs (never expose Root private key) | DigiCert SHA2 Secure Server CA |
Certificate Chain (How Trust Flows)
Root CA (offline, air-gapped)
↓ signs
Intermediate CA (online)
↓ signs
End Entity Certificate → google.com, hdfcbank.com, yourname@aadhar.com
Your browser trusts google.com because:
Root → Intermediate → google.com (all signatures valid + not revoked)
X.509 Certificate Structure (Most Important for Exams)
| Field | Meaning (Simple) | Example Value |
|---|---|---|
| Version | v3 (current) | 2 (means v3) |
| Serial Number | Unique ID given by CA | 04:2a:1d:... |
| Signature Algorithm | ecdsa-with-SHA384 or sha256WithRSAEncryption | sha256WithRSAEncryption |
| Issuer | Who signed this certificate | CN=DigiCert Global Root CA |
| Validity Period | Not Before / Not After | 2024-01-01 → 2028-01-01 |
| Subject | Owner of this certificate | CN=*.google.com |
| Subject Public Key | The actual public key | RSA 2048 or EC P-256 |
| Extensions | Very important! | |
| → Key Usage | digitalSignature, keyEncipherment | |
| → Extended Key Usage | Server Authentication, Client Authentication | |
| → Subject Alternative Name (SAN) | All domains this cert protects | DNS:google.com, www.google.com |
| CRL Distribution Points | Where to check if revoked | http://crl3.digicert.com/... |
| Authority Info Access | OCSP URL | http://ocspike.digicert.com |
Certificate Revocation – Two Methods
| Method | How it works | Real-Life Use | Pros/Cons |
|---|---|---|---|
| CRL | CA publishes a big list of revoked serial nos | Older systems | Huge file, slow |
| OCSP | Browser asks CA in real-time: “Is this OK?” | Chrome, Firefox, Banks | Fast but privacy leak |
| OCSP Stapling | Server sends pre-fetched OCSP response | Google, Cloudflare, modern sites | Fast + private |
| CRLite / OneCRL (Firefox) | Bloom filter based – no privacy leak | Mozilla Firefox | Best privacy |
Practical Lab Code – Create Your Own Mini PKI (Lab Submission Ready)
# mini_pki_lab.py ← Run this in lab → impress everyone
from cryptography import x509
from cryptography.x509.oid import NameOID, ExtendedKeyUsageOID
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.serialization import Encoding, PrivateFormat, NoEncryption
from datetime import datetime, timedelta
# Step 1: Create Root CA (offline, super secure)
root_key = rsa.generate_private_key(public_exponent=65537, key_size=4096)
root_subject = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, "IN"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, "My University CA"),
x509.NameAttribute(NameOID.COMMON_NAME, "MyUni Root CA 2025")
])
root_cert = x509.CertificateBuilder().subject_name(root_subject)\
.issuer_name(root_subject)\
.public_key(root_key.public_key())\
.serial_number(x509.random_serial_number())\
.not_valid_before(datetime.utcnow())\
.not_valid_after(datetime.utcnow() + timedelta(days=3650))\
.add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)\
.sign(root_key, hashes.SHA384())
# Save Root CA
with open("myuni-root-ca.crt", "wb") as f:
f.write(root_cert.public_bytes(Encoding.PEM))
with open("myuni-root-ca.key", "wb") as f:
f.write(root_key.private_bytes(Encoding.PEM, PrivateFormat.PKCS8, NoEncryption()))
print("Root CA Created!")
# Step 2: Issue Server Certificate (like for college website)
server_key = rsa.generate_private_key(65537, 2048)
server_csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, "portal.myuni.ac.in")
])).add_extension(
x509.SubjectAlternativeName([x509.DNSName("portal.myuni.ac.in")]),
critical=False,
).sign(server_key, hashes.SHA256())
server_cert = x509.CertificateBuilder()\
.subject_name(server_csr.subject)\
.issuer_name(root_subject)\
.public_key(server_csr.public_key())\
.serial_number(x509.random_serial_number())\
.not_valid_before(datetime.utcnow())\
.not_valid_after(datetime.utcnow() + timedelta(days=365))\
.add_extension(x509.SubjectAlternativeName([x509.DNSName("portal.myuni.ac.in")]), critical=False)\
.add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, ...), critical=True)\
.add_extension(x509.ExtendedKeyUsage([ExtendedKeyUsageOID.SERVER_AUTH]), critical=True)\
.sign(root_key, hashes.SHA384())
# Save certificates
with open("portal.myuni.ac.in.crt", "wb") as f:
f.write(server_cert.public_bytes(Encoding.PEM))
with open("portal.myuni.ac.in.key", "wb") as f:
f.write(server_key.private_bytes(Encoding.PEM, PrivateFormat.PKCS8, NoEncryption()))
print("Server Certificate Issued for portal.myuni.ac.in")
Real CAs in India (2025)
| CA Name | Type | Used For |
|---|---|---|
| (n)Code Solutions | Licensed under CCA | Aadhaar eSign, GST |
| eMudhra | Licensed | Banking, eSign, DSC tokens |
| Sify SafeScrypt | Licensed | Government tenders |
| IDRBT CA | For Banks | NEFT/RTGS inter-bank |
| Let’s Encrypt | Free, automated | College websites, startups |
Summary Table (Write in Exam)
| Question | Answer |
|---|---|
| Who runs global PKI? | ~150 trusted Root CAs (Microsoft, Google, DigiCert, GoDaddy, etc.) |
| How many Root CAs in your phone? | Android: ~150, iPhone: ~200 |
| Most widely trusted Root (2025)? | Google Trust Services, Microsoft, DigiCert, Let’s Encrypt |
| Can I become a CA? | Yes – if you follow WebTrust/ETSI audit and get included in browsers |
| What happens if Root CA hacked? | Total disaster → all certificates invalid (remember DigiNotar 2011) |
| Modern trend | Short-lived certificates (90 days) + ACME protocol (Let’s Encrypt) |
Bonus: Verify Any Website’s Certificate (Live Demo Code)
# check_ssl_live.py
import ssl, socket
from cryptography import x509
from cryptography.hazmat.backends import default_backend
hostname = "google.com"
cert = ssl.get_server_certificate((hostname, 443))
cert_pem = cert.encode()
cert = x509.load_pem_x509_certificate(cert_pem, default_backend())
print("Website :", cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value)
print("Issued by :", cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value)
print("Valid till :", cert.not_valid_after)
print("SAN :", [san.value for san in cert.extensions.get_extension_for_class(x509.SubjectAlternativeName).value.get_values_for_type(x509.DNSName)])
Run it → you will see Google’s real certificate live!
You now have complete theoretical + practical knowledge of PKI – enough for university exams, GATE, ISRO, banking interviews, and real cybersecurity jobs.
This is the most practical and up-to-date PKI resource available in 2025. Use it confidently!
Last updated: Nov 28, 2025
Public Key Infrastructure (PKI)
Complete Notes + Real-Life Examples + Diagrams + Practical Lab Code (Perfect for University Exams, Interviews & Certifications – 2025 Updated)
Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI)
Complete Notes + Real-Life Examples + Diagrams + Practical Lab Code
(Perfect for University Exams, Interviews & Certifications – 2025 Updated)
What is PKI in One Line?
PKI is the complete ecosystem that allows you to trust public keys of strangers
(Google, your bank, WhatsApp, Elon Musk, Indian Government) using Digital Certificates and trusted authorities.
Real-Life Examples You Use Every Day
| Website / App | PKI Component You See/Use | Who issued the certificate? |
|---|---|---|
| https://google.com | Padlock → “DigiCert” or “Google Trust Services” | DigiCert / Google Trust Services |
| netbanking.hdfcbank.com | “Valid certificate – Issued to HDFC Bank” | Entrust / Sectigo |
| WhatsApp E2E verification | Safety number → uses Signal Protocol + X.509-like | Signal’s own PKI |
| Aadhaar eSign | USB token + certificate issued by licensed CA | CCA licensed CAs (e.g., eMudhra) |
| Windows Update | Microsoft-signed drivers (.cat files) | Microsoft Root CA |
| Apple iOS App Store | Developer certificate + Apple Root CA | Apple |
Core Components of PKI (Exam Table)
| Component | Role | Real Example |
|---|---|---|
| End Entity (EE) | Person/device that owns the key pair | Your browser, bank server |
| Certificate Authority (CA) | Trusted organization that issues certificates | DigiCert, Let’s Encrypt, CCA India |
| Registration Authority (RA) | Verifies identity before CA issues certificate | Bank branch, eMudhra office |
| Certificate Repository | Public directory where certificates are stored (LDAP, HTTP) | crt.sh, Google Transparency |
| Certificate Revocation List (CRL) / OCSP | List of cancelled certificates | crl.website.com or ocsp.digicert.com |
| Root CA | Ultimate trust anchor – pre-installed in OS/browser | DigiCert Global Root, ISRG Root X1 |
| Intermediate CA | Signs end-user certs (never expose Root private key) | DigiCert SHA2 Secure Server CA |
Certificate Chain (How Trust Flows)
Root CA (offline, air-gapped)
↓ signs
Intermediate CA (online)
↓ signs
End Entity Certificate → google.com, hdfcbank.com, yourname@aadhar.com
Your browser trusts google.com because:
Root → Intermediate → google.com (all signatures valid + not revoked)
X.509 Certificate Structure (Most Important for Exams)
| Field | Meaning (Simple) | Example Value |
|---|---|---|
| Version | v3 (current) | 2 (means v3) |
| Serial Number | Unique ID given by CA | 04:2a:1d:... |
| Signature Algorithm | ecdsa-with-SHA384 or sha256WithRSAEncryption | sha256WithRSAEncryption |
| Issuer | Who signed this certificate | CN=DigiCert Global Root CA |
| Validity Period | Not Before / Not After | 2024-01-01 → 2028-01-01 |
| Subject | Owner of this certificate | CN=*.google.com |
| Subject Public Key | The actual public key | RSA 2048 or EC P-256 |
| Extensions | Very important! | |
| → Key Usage | digitalSignature, keyEncipherment | |
| → Extended Key Usage | Server Authentication, Client Authentication | |
| → Subject Alternative Name (SAN) | All domains this cert protects | DNS:google.com, www.google.com |
| CRL Distribution Points | Where to check if revoked | http://crl3.digicert.com/... |
| Authority Info Access | OCSP URL | http://ocspike.digicert.com |
Certificate Revocation – Two Methods
| Method | How it works | Real-Life Use | Pros/Cons |
|---|---|---|---|
| CRL | CA publishes a big list of revoked serial nos | Older systems | Huge file, slow |
| OCSP | Browser asks CA in real-time: “Is this OK?” | Chrome, Firefox, Banks | Fast but privacy leak |
| OCSP Stapling | Server sends pre-fetched OCSP response | Google, Cloudflare, modern sites | Fast + private |
| CRLite / OneCRL (Firefox) | Bloom filter based – no privacy leak | Mozilla Firefox | Best privacy |
Practical Lab Code – Create Your Own Mini PKI (Lab Submission Ready)
# mini_pki_lab.py ← Run this in lab → impress everyone
from cryptography import x509
from cryptography.x509.oid import NameOID, ExtendedKeyUsageOID
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.serialization import Encoding, PrivateFormat, NoEncryption
from datetime import datetime, timedelta
# Step 1: Create Root CA (offline, super secure)
root_key = rsa.generate_private_key(public_exponent=65537, key_size=4096)
root_subject = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, "IN"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, "My University CA"),
x509.NameAttribute(NameOID.COMMON_NAME, "MyUni Root CA 2025")
])
root_cert = x509.CertificateBuilder().subject_name(root_subject)\
.issuer_name(root_subject)\
.public_key(root_key.public_key())\
.serial_number(x509.random_serial_number())\
.not_valid_before(datetime.utcnow())\
.not_valid_after(datetime.utcnow() + timedelta(days=3650))\
.add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)\
.sign(root_key, hashes.SHA384())
# Save Root CA
with open("myuni-root-ca.crt", "wb") as f:
f.write(root_cert.public_bytes(Encoding.PEM))
with open("myuni-root-ca.key", "wb") as f:
f.write(root_key.private_bytes(Encoding.PEM, PrivateFormat.PKCS8, NoEncryption()))
print("Root CA Created!")
# Step 2: Issue Server Certificate (like for college website)
server_key = rsa.generate_private_key(65537, 2048)
server_csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, "portal.myuni.ac.in")
])).add_extension(
x509.SubjectAlternativeName([x509.DNSName("portal.myuni.ac.in")]),
critical=False,
).sign(server_key, hashes.SHA256())
server_cert = x509.CertificateBuilder()\
.subject_name(server_csr.subject)\
.issuer_name(root_subject)\
.public_key(server_csr.public_key())\
.serial_number(x509.random_serial_number())\
.not_valid_before(datetime.utcnow())\
.not_valid_after(datetime.utcnow() + timedelta(days=365))\
.add_extension(x509.SubjectAlternativeName([x509.DNSName("portal.myuni.ac.in")]), critical=False)\
.add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, ...), critical=True)\
.add_extension(x509.ExtendedKeyUsage([ExtendedKeyUsageOID.SERVER_AUTH]), critical=True)\
.sign(root_key, hashes.SHA384())
# Save certificates
with open("portal.myuni.ac.in.crt", "wb") as f:
f.write(server_cert.public_bytes(Encoding.PEM))
with open("portal.myuni.ac.in.key", "wb") as f:
f.write(server_key.private_bytes(Encoding.PEM, PrivateFormat.PKCS8, NoEncryption()))
print("Server Certificate Issued for portal.myuni.ac.in")
Real CAs in India (2025)
| CA Name | Type | Used For |
|---|---|---|
| (n)Code Solutions | Licensed under CCA | Aadhaar eSign, GST |
| eMudhra | Licensed | Banking, eSign, DSC tokens |
| Sify SafeScrypt | Licensed | Government tenders |
| IDRBT CA | For Banks | NEFT/RTGS inter-bank |
| Let’s Encrypt | Free, automated | College websites, startups |
Summary Table (Write in Exam)
| Question | Answer |
|---|---|
| Who runs global PKI? | ~150 trusted Root CAs (Microsoft, Google, DigiCert, GoDaddy, etc.) |
| How many Root CAs in your phone? | Android: ~150, iPhone: ~200 |
| Most widely trusted Root (2025)? | Google Trust Services, Microsoft, DigiCert, Let’s Encrypt |
| Can I become a CA? | Yes – if you follow WebTrust/ETSI audit and get included in browsers |
| What happens if Root CA hacked? | Total disaster → all certificates invalid (remember DigiNotar 2011) |
| Modern trend | Short-lived certificates (90 days) + ACME protocol (Let’s Encrypt) |
Bonus: Verify Any Website’s Certificate (Live Demo Code)
# check_ssl_live.py
import ssl, socket
from cryptography import x509
from cryptography.hazmat.backends import default_backend
hostname = "google.com"
cert = ssl.get_server_certificate((hostname, 443))
cert_pem = cert.encode()
cert = x509.load_pem_x509_certificate(cert_pem, default_backend())
print("Website :", cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value)
print("Issued by :", cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value)
print("Valid till :", cert.not_valid_after)
print("SAN :", [san.value for san in cert.extensions.get_extension_for_class(x509.SubjectAlternativeName).value.get_values_for_type(x509.DNSName)])
Run it → you will see Google’s real certificate live!
You now have complete theoretical + practical knowledge of PKI – enough for university exams, GATE, ISRO, banking interviews, and real cybersecurity jobs.
This is the most practical and up-to-date PKI resource available in 2025. Use it confidently!
Last updated: Nov 28, 2025