Public Key Infrastructure (PKI) Cheat Sheet
Covers PKI components, certificate lifecycle, chain of trust, and common OpenSSL commands for generating and inspecting certificates.
2 PagesIntermediateJan 28, 2026
Core PKI Components
The building blocks of a public key infrastructure.
- CA (Certificate Authority)- Trusted entity that issues and signs digital certificates
- RA (Registration Authority)- Verifies identity before a CA issues a certificate
- Certificate- Binds a public key to an identity, signed by a CA
- CRL- Certificate Revocation List, a published list of revoked certificates
- OCSP- Online Certificate Status Protocol, real-time revocation checking
- Root CA- Top of the trust chain; self-signed, kept offline for security
- Intermediate CA- Signed by root CA, issues end-entity certs; limits root exposure
Generating Keys and a CSR (OpenSSL)
Creating a private key and certificate signing request.
bash
# Generate a 2048-bit RSA private keyopenssl genrsa -out server.key 2048# Generate a Certificate Signing Request (CSR)openssl req -new -key server.key -out server.csr \ -subj "/C=US/ST=CA/O=Example Inc/CN=example.com"# Self-sign a certificate (for testing only)openssl x509 -req -days 365 -in server.csr \ -signkey server.key -out server.crt
Inspecting Certificates (OpenSSL)
Viewing certificate details and checking a live server's cert.
bash
# View certificate detailsopenssl x509 -in server.crt -text -noout# Check expiration dateopenssl x509 -in server.crt -noout -enddate# Inspect a certificate served by a live hostopenssl s_client -connect example.com:443 -showcerts
Chain of Trust Concepts
How certificate validation establishes trust.
- Trust anchor- Root CA certificate pre-installed in OS/browser trust stores
- Certificate chain- Leaf cert -> intermediate CA(s) -> root CA, each signed by the next
- Chain validation- Client verifies each signature up to a trusted root, and checks expiry/revocation
- Self-signed certificate- Not signed by a trusted CA; triggers browser warnings unless manually trusted
Pro Tip
Keep root CA private keys offline and air-gapped; use intermediate CAs for day-to-day certificate issuance so a compromised intermediate can be revoked without invalidating the entire trust chain.
Was this cheat sheet helpful?
Explore Topics
#PublicKeyInfrastructurePKI#PublicKeyInfrastructurePKICheatSheet#Cybersecurity#Intermediate#CorePKIComponents#Generating#Keys#CSR#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance