What is Public Key Infrastructure?

PKI is the trust backbone of the internet. Every time your browser shows a padlock icon on an HTTPS connection, PKI is at work. The system relies on certificate authorities (CAs) that issue digital certificates binding a public key to an identity — whether a domain name, an organization, or an individual. These certificates allow clients to verify that they are communicating with the legitimate server and not an impersonator.

The PKI trust model is hierarchical. Root CAs sit at the top, with their certificates pre-installed in operating systems and browsers. Root CAs sign intermediate CA certificates, which in turn sign end-entity certificates for individual servers and services. This chain of trust allows any client to verify a certificate by tracing the signatures back to a trusted root. If any link in the chain is compromised or revoked, the certificates it signed are no longer trusted.

PKI extends beyond web TLS. It underpins code signing (verifying software authenticity), email encryption (S/MIME), VPN authentication, mutual TLS between microservices, and smart card authentication. Managing PKI at scale involves tracking certificate expiration, automating renewal, handling revocation lists (CRLs) or OCSP responders, and securing the private keys of CAs — a compromise of a root CA private key would undermine trust across the entire hierarchy.

How Vaulted uses Public Key Infrastructure

Vaulted relies on PKI indirectly through HTTPS. The TLS certificate on vaulted.fyi, issued by a trusted certificate authority, ensures that your browser is communicating with the real Vaulted server and not a man-in-the-middle. This protects the ciphertext and metadata in transit. However, Vaulted does not depend on PKI for its core encryption model — secrets are encrypted client-side with symmetric AES-256-GCM keys that never traverse the network, so even a PKI failure would not expose plaintext secrets.