Key takeaways on PKI and certificates
- The PKI organises the issuance, management and validation of certificates used for signing or sealing.
- The certification authority (CA) issues certificates and publishes revocation information.
- An X.509 certificate binds a public key to an identity and to attributes (usage, validity, extensions).
- Revocation is verified via CRLs (lists) or OCSP (status response).
What is a PKI?
A PKI (Public Key Infrastructure) is the set of technical and organisational components that enable the issuance, management and verification of public key certificates.
It combines: roles (authorities, subscribers, operators), policies (issuance conditions, identity verification, permitted uses), and publication mechanisms (revocation, access points, policy documents).
From an evidential perspective, the PKI is the “backbone” linking a cryptographic act (signature, seal) to an identity and to a set of verifiable rules. Without a PKI (or without a documented PKI), demonstrating attribution and validity becomes more difficult to sustain before a third party.
A certification authority (CA) is the entity that issues certificates by attesting that a public key corresponds to an identity, in accordance with an issuance policy. It signs certificates, enabling a verifier to confirm, through cryptographic means, that the certificate has not been altered and that it forms part of a chain of trust.
The CA also assumes operational obligations: securing the authority’s keys, managing the lifecycle (issuance, renewal, possible suspension), publishing revocation information and documenting its practices. In a given case, the CA is not merely a name: attention is paid to what it declares (CP/CPS), its trust anchor, and its ability to produce verifiable status information.
What is an X.509 certificate?
An X.509 certificate is a structured object that binds a public key to identity information and to validity and usage attributes. It includes, in particular: a subject (holder), an issuer, a validity period, a serial number, algorithms, and extensions (for example KeyUsage, ExtendedKeyUsage, BasicConstraints, Subject Alternative Name).
Within the Internet ecosystem, the reference profile is RFC 5280, which defines how these fields are to be interpreted. A certificate does not, in itself, constitute proof: it becomes evidential when validated in accordance with chain, usage and status rules (non-revocation), and when these elements are preserved consistently.
What is a qualified certificate?
A qualified certificate (within the meaning of eIDAS) is a certificate issued by a qualified trust service provider and compliant with the requirements set out in the Regulation, in particular Annex I for qualified electronic signature certificates. Qualification refers to a framework of compliance and supervision: it is not merely a “format”, but a status attached to the issuance and content of the certificate, as well as to the provider.
In practice, the identification of qualified providers and qualified services is facilitated by the Trusted Lists published by Member States. For legal practitioners, the benefit lies in having a common reference in a cross-border context, without having to reconstruct entirely the reliability of a private trust chain.
What is a certification policy (CP)?
A certification policy (CP) describes what a certificate represents: level of identity verification, issuance conditions, permitted uses, security requirements, responsibilities, and assumptions of reliance for parties using the certificate. It serves as a reference for qualifying a certificate in a given context (internal signature, organisational seal, external use, etc.).
From a documentary standpoint, RFC 3647 provides a framework for structuring a CP in a comparable manner across authorities. In an evidential context, the CP links a claim (“this certificate identifies an organisation at a given level”) to a normative document published by the authority, and therefore capable of verification and challenge.
What is certificate revocation?
Revocation is the decision to render a certificate invalid before its expiry date. Typical grounds include compromise of the private key, issuance error, change of attributes, or termination of the relationship with the holder.
From an evidential standpoint, it is necessary to distinguish between “certificate within its validity period” and “certificate not revoked”. Validation must therefore include verification of revocation status, based on an explicit policy (accepted sources, tolerances, timing). This is a common point of weakness: a case may be undermined if it cannot be demonstrated, with supporting evidence, what the status was at the time the signature or seal was applied (or at the time it is said to have taken effect).
What is a CRL?
A CRL (Certificate Revocation List) is a list published by a CA identifying revoked certificates (together with associated information such as date and reason). It is itself signed and must be validated.
The mechanism operates on a “list” basis: a CRL is retrieved, and the certificate’s serial number is checked against it. CRLs are governed by publication policies (frequency, distribution points, CRL validity period), which are relevant in an evidential assessment: an outdated, unavailable or inconsistent CRL weakens the demonstration. The rules governing the structure and interpretation of CRLs in Internet use are defined in RFC 5280.
