Public key infrastructure (PKI) explained for non-engineers
Public key infrastructure (PKI) is the framework of keys, certificates, and trusted authorities that makes secure digital communication and signing possible between people who've never met. It rests on key pairs — a private key you keep secret and a public key you share — plus certificate authorities that vouch for whose key is whose. Together they let you verify identity, prove a message came from a specific party, and confirm nothing was altered in transit. PKI is the quiet plumbing behind HTTPS websites, encrypted email, and every legally defensible digital signature.
The trust problem PKI solves
Imagine trying to do business with someone you've never met, over a network where messages can be intercepted or forged. How do you know the person is who they claim to be? How do you know their message wasn't tampered with? How do you send them something only they can read?
Public key infrastructure is the answer the internet settled on. It's not a single product — it's an ecosystem of standards, roles, and technologies that work together to make trust possible at scale. When you see the padlock in your browser, when you sign a PDF, when your email client shows a message is verified, PKI is doing the work underneath.
The core idea: key pairs
Everything in PKI starts with a key pair. Each participant has two mathematically linked keys:
- A private key, kept strictly secret by the owner.
- A public key, shared with anyone.
The magic is that these keys are asymmetric — they do complementary jobs:
- For confidentiality: anyone can encrypt a message with your public key, but only your private key can decrypt it. So people can send you secrets without ever sharing a password.
- For signing: you encrypt a fingerprint of a document with your private key, and anyone can verify it with your public key. That proves you signed it, because only you hold the private key.
This asymmetry is what makes PKI work between strangers. There's no shared secret to exchange in advance.
The missing piece: who owns the key?
A public key by itself is just a number. It says nothing about whose key it is. This is the gap that certificates and certificate authorities fill.
A digital certificate binds a public key to a verified identity. A certificate authority (CA) is a trusted organization that verifies identities and issues those certificates, signing each one with its own key as a guarantee. When you receive someone's certificate, you can check the CA's signature to confirm the identity is genuine.
The chain of trust
You don't have to personally trust every CA. Instead, trust flows through a chain:
- A root CA sits at the top. Its certificate is pre-installed and trusted by your operating system, browser, and PDF reader.
- Root CAs sign intermediate CAs, which do the day-to-day work of issuing certificates.
- Intermediate CAs sign end-entity certificates — the ones belonging to people, companies, and servers.
When your software verifies a signature or a website, it walks up this chain: does this certificate trace back to a root I already trust? If yes, trust is established automatically. If the chain breaks — an unknown issuer, an expired link — you get a warning.
What PKI actually delivers
Boiled down, PKI provides four assurances:
- Authentication — you can confirm who you're dealing with.
- Integrity — you can detect if a message or document was altered.
- Confidentiality — you can send data only the intended recipient can read.
- Non-repudiation — a signer can't credibly deny having signed, because only their private key could have produced the signature.
That last one, non-repudiation, is why PKI underpins legally meaningful signatures.
PKI keeps itself honest
A healthy PKI also handles the messy realities. Certificates have expiry dates, so credentials don't live forever. If a private key is lost or stolen, the CA can revoke the certificate, and verifiers check revocation status through a Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP). And trusted timestamps record when something was signed, so a signature stays verifiable even after its certificate expires.
PKI behind a digital signature
When you sign a document in a PKI-based system, the software hashes the document, encrypts that hash with your private key to form the signature, and attaches your certificate. The recipient's software verifies the signature against your public key, checks that your certificate chains to a trusted root, and confirms the document hasn't changed. All of it happens in seconds, invisibly.
How PearSign relies on PKI
PearSign's tamper-evident signatures are built on PKI. Completed documents are sealed with a digital certificate that chains up to the Adobe Approved Trust List (AATL), so any standard PDF reader can walk the chain of trust, confirm the document's integrity, and recognize the signature as valid — no manual setup on the recipient's end.
FAQ
What is PKI in plain language?
PKI, or public key infrastructure, is the system of keys, digital certificates, and trusted authorities that lets people and computers verify each other's identities and communicate securely — even if they've never interacted before. It's the foundation behind secure websites, encrypted email, and trustworthy digital signatures.
What is the difference between a public key and a private key?
A private key is kept secret by its owner; a public key is shared openly. They're mathematically linked so that what one does, only the other can undo. You sign with your private key and others verify with your public key; others encrypt with your public key and only you can decrypt with your private key.
What is a chain of trust?
A chain of trust is the path that connects a certificate back to a root authority your device already trusts. Your certificate is signed by an intermediate CA, which is signed by a root CA. Verification software follows this chain — if it reaches a trusted root, the certificate is accepted.
What does non-repudiation mean?
Non-repudiation means a signer can't plausibly deny having signed something. Because a digital signature can only be produced with the signer's private key, which they alone control, the signature stands as strong evidence that they — and not someone else — signed the document.
Do I need to understand PKI to use a digital signature?
No. PKI is designed to work invisibly. When you sign a document in a PKI-based platform, the key management, certificates, and trust checks happen automatically in the background. You get the security benefits without needing to manage keys yourself.
Ready to send your first document with PearSign?
AI drafts it, places the fields, and collects every signature — sealed and audit-trailed.
This article is general information about electronic signatures and related standards — not legal advice. For your specific situation, consult qualified counsel in your jurisdiction.