Getting StartedUnderstanding PKICertificate AuthoritiesIssuing CertificatesCertificate LifecycleOCSPACME ProtocolAPI AccessMCP IntegrationWorkspaces

Understanding PKI

Public Key Infrastructure (PKI) is the framework of policies, hardware, software, and procedures used to create, manage, distribute, and revoke digital certificates. It enables secure communication over untrusted networks like the internet.

Public and Private Keys

PKI is built on asymmetric cryptography, which uses a pair of mathematically related keys:

  • Public key — Shared openly. Used to encrypt data or verify signatures.
  • Private key — Kept secret by the owner. Used to decrypt data or create signatures.

Data encrypted with the public key can only be decrypted with the corresponding private key, and vice versa. This property is what makes secure communication possible without sharing a secret in advance.

What Is a Digital Certificate?

A digital certificate (often called an X.509 certificate or TLS/SSL certificate) is an electronic document that binds a public key to an identity. It contains:

  • Subject — The identity the certificate represents (e.g., a domain name or organization)
  • Public key — The subject's public key
  • Issuer — The CA that signed and issued the certificate
  • Validity period — Start and expiration dates
  • Subject Alternative Names (SANs) — Additional identities (domains, IPs) the certificate covers
  • Signature — The CA's digital signature proving authenticity

What Is a Certificate Authority?

A Certificate Authority (CA) is a trusted entity that issues and signs digital certificates. The CA vouches for the identity of the certificate holder by signing the certificate with its own private key. There are two types:

  • Public CAs — Trusted by browsers and operating systems globally (e.g., Let's Encrypt, DigiCert). Used for public-facing websites.
  • Private CAs — Operated by organizations for internal use. Trusted only by devices that explicitly install the CA's root certificate. This is what Certman helps you create.

Chain of Trust

Trust in PKI flows through a hierarchy of certificates:

  1. Root CA certificate — Self-signed, installed in trust stores. This is the anchor of trust.
  2. Intermediate CA certificate — Signed by the root CA. Used to issue end-entity certificates while keeping the root key offline.
  3. End-entity certificate — Signed by a CA. Identifies a server, device, or service.

When a client connects to a server, it verifies each certificate in the chain back to a trusted root. If the chain is valid, the connection is trusted.

Certificate Revocation

If a certificate's private key is compromised or the certificate is no longer needed, it can be revoked. Revocation is communicated via:

  • CRL (Certificate Revocation List) — A signed list of revoked certificate serial numbers published by the CA
  • OCSP — An online protocol for real-time revocation checking

Certman supports both mechanisms — each CA publishes a CRL and provides an OCSP responder for real-time status checks. See the OCSP section for details.

Common Use Cases for Private PKI

  • Securing internal services (NAS, routers, home automation, dev servers)
  • Mutual TLS (mTLS) authentication between services
  • Encrypting traffic on private networks and VPNs
  • Code signing and document signing within an organization
  • IoT device authentication