Public Key Infrastructure (PKI) is not an application, but an infrastructure which enables services like digital signatures, encryption, and authentication. The Certification Authority acts as a guarantor of digital IDs and digital signatures.

To enhance PKI the use of certificates issued by Certificate Authorities (CA) are used.

In simple terms, a CA digitally signs a collection of data, consisting of at least an identifier tag, a public key and a validity period. Certificates normally conform to the ITU X.509 recommendation.

When a signature is verified, a recursive process is undertaken which follows the initial checking of the signature against the originators public key. The public key (in the form of the certificate) is validated against the certificate of the issuing CA. This process is repeated until a common trust point between the originator and recipient is reached. If no common trust point is reached, an acceptable trust model does not exist between the two parties. If a common trust point is reached, and all signatures verify (data and certificates), then the transaction can be trusted.

PKI uses matched encryption key pairs where one key is used to encrypt data and the other matching key is used to decrypt the data.

By convention one key is referred to as the private key and the other is referred to as the public key (giving PKI its name). The basic concept is that one key (the public key) can be published and read by anyone, while the other key (the private key) is maintained in secrecy.

An individual (the originator) can encrypt some data with their private key. This allows any other user with access to the originators public key to decrypt. This does not provide confidentiality service (anybody can decrypt the data), but it does allow the recipient to know that the data could only have come from the originator. This process underpins the concept of a applying a digital signature.

Individuals (the recipient or recipients) can decrypt with the originators public key. The recipient knows the only person who could have applied the encryption was the originator (the only person who should have access to the private key). This process underpins the concept of verifying a digital signature.

For signing (and verifification of a signature), instead of encrypting the entire source data, a hash (a complex checksum) of the data is calculated and only that is encrypted with the originators private key. This provides an alternative mechanism of signing data. The encrypted hash is now included with the otherwise untouched source data and can be used as a separate piece of data known as the signature. This not only improves performance, but also provides an Integrity service by including a cryptographically protected checksum with the message.