CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Public Key Infrastructure (PKI)

cryptography Advanced

Also Known As

PKI Certificate Authority CA TLS certificate Let's Encrypt

TL;DR

The system of certificate authorities, certificates, and protocols that establishes trust in public keys — enabling HTTPS, code signing, and email encryption at internet scale.

Explanation

PKI solves the problem: how do you trust a public key from a stranger? Certificate Authorities (CAs) sign certificates that bind a public key to an identity. Browsers and OS trust a set of root CAs. The chain of trust: root CA signs intermediate CA, intermediate CA signs domain certificate. Certificate Transparency logs record all issued certificates publicly, enabling detection of fraudulent issuance. ACME protocol (Let's Encrypt) automates certificate issuance.

Common Misconception

A valid certificate means a site is safe — a certificate only proves the server holds the corresponding private key and the CA verified the domain; it says nothing about the site's content or intent.

Why It Matters

Understanding PKI explains why certificate errors occur, how HTTPS actually establishes trust, and how Let's Encrypt provides free certificates — foundational knowledge for secure deployment.

Common Mistakes

  • Setting CURLOPT_SSL_VERIFYPEER to false — disables certificate validation entirely, making HTTPS equivalent to HTTP.
  • Not auto-renewing Let's Encrypt certificates — they expire every 90 days; set up certbot --renew cron job.
  • Using self-signed certificates in production — browsers reject them; users click through warnings, training bad habits.
  • Not monitoring certificate expiry — an expired certificate causes complete outage; use monitoring or auto-renewal.

Code Examples

✗ Vulnerable 
// Disabling certificate verification — completely negates HTTPS:
$ch = curl_init('https://api.example.com');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // NEVER in production
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // Disables hostname check too
✓ Fixed 
// Correct SSL verification (default, but be explicit):
$ch = curl_init('https://api.example.com');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);  // Verify cert chain
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);     // Verify hostname
curl_setopt($ch, CURLOPT_CAINFO, '/etc/ssl/certs/ca-certificates.crt');

// Auto-renew Let's Encrypt cert (cron):
# 0 0,12 * * * certbot renew --quiet
Added 15 Mar 2026
Edited 22 Mar 2026
Views 31

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 1 ping M 0 pings T 0 pings W 1 ping T 2 pings F 2 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 3 pings F 0 pings S 1 ping S 0 pings M 1 ping T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Google 8 Perplexity 5 ChatGPT 3 Unknown AI 2 Ahrefs 1
Also referenced
Asymmetric Encryption 32 Insecure TLS / SSL 23 TLS Handshake 18 Digital Signatures 17
How they use it
crawler 24 crawler_json 3
Related categories
security 4k networking 499 cryptography 418
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Medium
⚡ Quick Fix
Understand the chain of trust: your cert is signed by an intermediate CA, which is signed by a root CA in the browser trust store — if your intermediate cert is missing, some clients will reject your cert
📦 Applies To
any web api
🔗 Prerequisites
🔍 Detection Hints
Missing intermediate certificate in chain; self-signed cert in production; certificate chain not verified in PHP cURL calls
Auto-detectable: ✓ Yes ssllabs openssl curl
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✗ Manual fix Fix: High Context: File
CWE-295 CWE-296
✓ schema.org compliant