CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Public Key Infrastructure (PKI)

Cryptography Advanced
debt(d3/e3/b3/t7)
d3 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'default linter catches' (d3), tools like ssllabs and openssl s_client easily detect missing intermediate certs, self-signed certs, or expiry issues; CURLOPT_SSL_VERIFYPEER=false is also flagged by most security linters.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3), per quick_fix: install the intermediate cert in the chain, or flip CURLOPT_SSL_VERIFYPEER back to true, or set up certbot renewal cron — small targeted config changes, not refactors.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3), PKI applies to web/api edge (TLS termination, outbound HTTPS calls) — a persistent operational concern (renewals, chain hygiene) but contained to the ingress/egress layer, not shaping the whole codebase.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7), the misconception is exactly that 'a valid certificate means the site is safe' — devs and users routinely conflate cert validity with trustworthiness; also disabling VERIFYPEER 'just to make it work' is a notorious wrong-default that contradicts the security intent.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

Also Known As

PKI Certificate Authority CA TLS certificate Let's Encrypt

TL;DR

The system of certificate authorities, certificates, and protocols that establishes trust in public keys — enabling HTTPS, code signing, and email encryption at internet scale.

Explanation

PKI solves the problem: how do you trust a public key from a stranger? Certificate Authorities (CAs) sign certificates that bind a public key to an identity. Browsers and OS trust a set of root CAs. The chain of trust: root CA signs intermediate CA, intermediate CA signs domain certificate. Certificate Transparency logs record all issued certificates publicly, enabling detection of fraudulent issuance. ACME protocol (Let's Encrypt) automates certificate issuance.

Common Misconception

A valid certificate means a site is safe — a certificate only proves the server holds the corresponding private key and the CA verified the domain; it says nothing about the site's content or intent.

Why It Matters

Understanding PKI explains why certificate errors occur, how HTTPS actually establishes trust, and how Let's Encrypt provides free certificates — foundational knowledge for secure deployment.

Common Mistakes

  • Setting CURLOPT_SSL_VERIFYPEER to false — disables certificate validation entirely, making HTTPS equivalent to HTTP.
  • Not auto-renewing Let's Encrypt certificates — they expire every 90 days; set up certbot --renew cron job.
  • Using self-signed certificates in production — browsers reject them; users click through warnings, training bad habits.
  • Not monitoring certificate expiry — an expired certificate causes complete outage; use monitoring or auto-renewal.

Code Examples

✗ Vulnerable 
// Disabling certificate verification — completely negates HTTPS:
$ch = curl_init('https://api.example.com');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // NEVER in production
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // Disables hostname check too
✓ Fixed 
// Correct SSL verification (default, but be explicit):
$ch = curl_init('https://api.example.com');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);  // Verify cert chain
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);     // Verify hostname
curl_setopt($ch, CURLOPT_CAINFO, '/etc/ssl/certs/ca-certificates.crt');

// Auto-renew Let's Encrypt cert (cron):
# 0 0,12 * * * certbot renew --quiet
Added 15 Mar 2026
Edited 22 Mar 2026
Views 65

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
1 ping T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 1 ping T 0 pings W 2 pings T 1 ping F 4 pings S 2 pings S 2 pings M 1 ping T 1 ping W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 1 ping T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 10 Google 10 Scrapy 10 Perplexity 5 ChatGPT 5 Ahrefs 3 SEMrush 3 Unknown AI 2 Claude 1 Meta AI 1 Bing 1
Also referenced
Asymmetric Encryption 59 TLS Handshake 52 Insecure TLS / SSL 50 Digital Signatures 41
How they use it
crawler 46 crawler_json 5
Related categories
security 7.9k networking 1k cryptography 817
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Medium
⚡ Quick Fix
Understand the chain of trust: your cert is signed by an intermediate CA, which is signed by a root CA in the browser trust store — if your intermediate cert is missing, some clients will reject your cert
📦 Applies To
any web api
🔗 Prerequisites
🔍 Detection Hints
Missing intermediate certificate in chain; self-signed cert in production; certificate chain not verified in PHP cURL calls
Auto-detectable: ✓ Yes ssllabs openssl curl
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✗ Manual fix Fix: High Context: File
CWE-295 CWE-296
✓ schema.org compliant