Home Page

VPN & Cryptography


Email & Spam

Security Terminology


VPN Terminology

VPN Tutorial Guide



Aggressive Mode

Authentication Header

Asymmetric Encryption


Certification Authority

Data Integrity



Digital Certificate

Dynamic IP addresses





IPSec Quick Mode


Main Mode







Pre-Shared Key

Remote Access User


Security Association


Site to Site VPN


Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel


How PKI (Public Key Infrastructure) works



Public Key Infrastructure (PKI) is a set of standards, procedures, software, and people for implementing authentication using public key cryptography. PKI is used to request, install, configure, manage and revoke digital certificates. PKI offers authentication via digital certificates, and these digital certificates are signed and provided by certificate authorities.

PKI uses public key cryptography and works with x509 standard certificates. It also provides other things such as authenticating users, producing and distributing certificates, maintaining, managing and revoking certificates. PKI is an infrastructure in which many things happen and is not a process or algorithm itself, so PKI consists of a number of aspects to enable the infrastructure to work. As well as authentication, PKI also enables the use of providing integrity, non-repudiation and encryption.

If a company wanted a public key they would require a digital certificate. They will have to request this certificate from a certificate authority or a registration authority (RA). The certificate authority (CA) is someone who everyone should trust as a centralised authority for managing and maintaining certificates. The CA will require the company to fill in a number of details and validate their request before they can hand out a certificate. This certificate is a proof that the company is who they say they are in the digital world (like a passport in the real world). An RA is just an organisation who processes requests on behalf of a CA.

PKI combines well with Diffie-Hellman in providing secure key exchanges, as Diffie-Hellman does not provide authentication on its own capabilities. PKI is used in various protocols such as PGP and SSL.

There are two main PKI models as described below.

Central PKI Model –

Used for small to medium sized companies or a flat network design. A single authority assigns all their certificates.

Hierarchical PKI Model –

A Hierarchical PKI model is used in medium to large organisations. You have a root CA, such as Microsoft certificate services as an in house solution, or it can be a public trusted company such as Verisign. Then you have separate sub ordinate CA's assigning separate security domains digital certificates. Hierarchical is a multi-tiered approach suited for enterprise networks. Subordinate CA's hand out certificates to employees and other people (systems and individual users).


Certificate request Process

A company requests for a digital certificate from a CA.

The CA would require some information back from the company. Usually some proof they are who they claim to be, and require its registration information.

After the CA is happy with the company’s request, it would generate a public key for the company with the identity information attached to the certificate. This public key along with its related private key can be generated by the CA or by the system the company will be installing this certificate on. If it is produced by the company then on the device a public and private key pair would be generated and sent to the CA.

The CA will sign and issue the company with a digital certificate, and this will be its identification proving it is who it claims to be.

The company can now use this information to participate in the PKI system.


How two companies or two users would communicate a secure channel between each other via public key.

Joe wants to communicate with Carl and so Joe sends his certificate to Carl. Carl checks out the certificate's CA signature with his CA, the CA may be Verisign for example. He will look at the CA public key with Verisign to ensure the CA signature is on the certificate. If the certificate is valid then Carl can assume Joe is who he says he is, and the connection would be accepted. Then Joe checks Carl’s certificate, and if the certificate is fine and valid, the VPN process can be progressed.

How a secure key is agreed upon by two peers

The process works by two peers exchanging their public keys. Joe would send his public key to Carl and Carl would send his public key to Joe. Joe would then use the public key sent from Carl and his own private key to generate a symmetric key using the Diffie-Hellman algorithm. Carl would also take the same process as Joe and in turn produce the exact same symmetric key as Joe, though enabling them to communicate securely over the in-secure internet. Both peers can now encrypt, transmit and decrypt data using their symmetric keys.

Further Reading

Wikipedia's guide to Public Key Infrastructure