How Does PKI Authentication Work? With Authentication Flow Diagram

How Does PKI Authentication Work? With Authentication Flow Diagram. The Covid-19 pandemic (and its restrictions) bore an accelerated increase in digital adoption. However, it also uncovered new opportunities for bad actors and cybercriminals. At first, companies were more concerned with migrating to remote and hybrid work environments to recover lost productivity and profits. 

Nevertheless, this mass migration left a lot of vulnerabilities exposed. As such, the last few years have seen an increase in discourse emphasizing more holistic approaches to cyber security such as Zero Trust architecture. Many experts have remarked that Public Key Infrastructure (PKI) authentication should be the foundation of your Zero Trust architecture. But how does PKI authentication work? This guide will answer this question.

Shall we start with How Does PKI Authentication Work? With Authentication Flow Diagram

What is PKI?

First of all, Public Key Infrastructure is a framework designed to manage digital certificates and public key encryption. The primary purpose of PKI architecture is to enable secure electronic transfer over networks. However, (as you will see) remote electronic exchanges are not the only examples where people use PKI. Nonetheless, PKI is made possible through a collection of policies, standards, and procedures. Collectively, these features are there to help build the concept (digital) trust.

Trust describes the confidence and reliability between entities. There are different forms of digital trust. For instance, trust between two entities is reffered to as direct trust. On the other hand, if an independent third entity facilitates trust between two entities, this is known as third-party trust. PKI architecture uses a third party trust system. Before you dive into the PKI authentication flow diagram included in this guide, it’s important to understand the entities involved in the process. 

Up next with How Does PKI Authentication Work? With Authentication Flow Diagram.

The Main Entities of PKI

PKIs typically consist of three key players. They are:

  • Client: Must form a secure connection or validate a particular identity.
  • Server: In PKI architecture, this entity must prove its identity.
  • Certificate Authority (CA): The governing entity. It is responsible for issuing digital certificates and verifying identities. CAs can either be external or internal to organizations.

Understanding Trust

The most important entity in PKI is the certificate authority as it is responsible for facilitating trust. But how can you verify the CA’s trustworthiness? First, you need to analyze the trust model.

Hierarchical Trust Model

The hierarchical trust model consists of a singular authoritative CA known as the root CA. This Root CA sits on top of the hierarchy and signs all digital certificates using a single private key. Additionally, as the highest signer, the root CA publishes a self-signed certificate to exhibit its special role.

The Root CA generates this self signed certificate using its own special private key for verification. Nevertheless, the hierarchal trust model comes with limitations. For instance, if the root CA’s private key is somehow compromised, this renders all previously signed digital certificates worthless. The following PKI trust model illustrates how this process works:

Relying on a single Root CA may cause problems, as there is one point of failures and no fallbacks. Fortunately, this is not the only available PKI trust model

Distributed Trust Model

As opposed to having a singular monarch-like root CA (as in the case of the hierarchical trust model), the distributed trust model has multiple CAs that are responsible for signing digital certificates. The following simple PKI distributed trust model diagram highlights how this process works:

This eliminates the limitations of a hierarchical PKI trust model. If one CA’s private key were to be exposed, the only certificates that would be compromised are the ones that were signed using the exposed private key. Additionally, distributed trust models allow the CAs to share the workload (of verification). Root CAs can also delegate authority to additional intermediate CAs, allowing them to sign digital certificates too. The distributed trust model is the cornerstone of most digital certificates used on the internet. It is the basis of the chain of trust.

Understanding the PKI Chain of Trust

The certificate chain of trust is an extremely important concept of PKI authentication. Before you review how the entire validation process works using this guide’s PKI authentication flow diagram, it’s best to understand how some of the PKI authentication sub-processes work, first. Incidentally, the most used or common example of a PKI is The World Wide Web (WWW). Your web browser (Google Chrome, Firefox, Edge, etc.) acts as the client. Alternatively, they may be any software contained on internet-enabled devices (Internet-of-Things) making secure SLR TLS connections.

Albeit, the HTTPS websites (Google, Facebook, Twitter, etc.) that you access from your browser act as the servers in this scenario. Public web certificate providers (GoDaddy, GlobalSign, Sectigo, etc.) are the web’s certificate authorities (CA).

Intermediate CAs are responsible for generating and issuing a large portion of certificates on the internet. When you log onto a secure website and your browser displays a padlock icon near (or on) the address bar. This indicates that your browser “trusts” the website. As such, the website is valid and secure.

Examples of the PKI Chain of Trust

Once again, it’s important that you have a visual example of how the PKI Authentication process works. Hence, we included the PKI authentication diagram in this guide. However, it may not be enough. You must view the PKI chain of trust first hand. You can check the certificate information of a website and who issued it by clicking on the padlock icon. Of course, this may depend on your browser.

Nevertheless, once you have the certification information displayed, click on the Certification Path tab. This will give you a glimpse into the trust chain. In most cases, you’ll be able to see all the intermediate and root CA.

Most web browsers are installed with the public keys of all major root CA’s. As such, your browser will typically use the public to verify the digital signature of a root CA. Once your browser has verified the root CA, it will go down the certification path and validate each intermediate CA before finally trusting the site. Here’s a simple flow diagram to display how this process works.

Other PKI Examples

However, the web isn’t the only instance of PKI that people use every day. Code signing is another example. The most recognizable implementation is Windows User Account Control. In this scenario, the client is the operating system (Windows 10 / Windows Server) which needs to validate the identity of a particular piece of software. Correspondingly, the software acts as the server. It is the entity that must prove its identity to the operating system.

There are various sets of code-signing CAs that exist to verify the identity of the software so that the operating system will trust it. Usually, the code signing CAs aren’t the same as those that sign certificates for websites.

Nonetheless, a more imaginable example for you could be the internal corporate PKI. It uses an employee/work device as the client entity, corporate resources (ticketing system, portals, etc.), and a Corporate Internal CA. The next section next section will explore how the hierachal internal trust model works using a PKI Authentication flow diagram. 

PKI Authentication Flow Diagram

How Does PKI Authentication Work? Explained with authentication flow diagram. The best way to illustrate how PKI authentication works is through a flow diagram/chart. The following flow diagram uses a simple internal hierarchical trust model. 

Steps in Authentication flow diagram

Step 1

The PKI authentication flow diagram begins with a client attempting to connect to a server. However, before the client can securely connect to the server, it will request to see a certificate. The server will then request a certificate from the Certificate Authority. The CA must verify that the server has permissions to make certificate requests. Thus, a registration authority is dispatched to validate the server.

Step 2

Once the registration authority validates the request, it will provide the certificate authority with confirmation. As you can see from the PKI authentication flow diagram, the certificate authority will then be able to issue an official certificate to the server. In this scenario, the server acts as the subject of the certificate. Nevertheless, once the certificate registration and  is complete, the server can then relay the certificate to the client (the relying party) to indicate that it is safe to connect.

Step 3

However, before the client can safely connect to the server, it must ensure that the certificate delivered to it by the server is legitimate. It does this by validating the certificate against a public key issued to it by the certificate authority. In most cases, the client will already have the necessary public keys installed. Thus, validation does not take very long. Nevertheless, the PKI authentication diagram will terminate in one of three ways….Once validation is complete, the client will either gain a secure connection to the server (if the certificate is valid) or be blocked and rerouted to safety.    

Try InfrsSOS the Authentication platform for Active Director

Thank you for reading How Does PKI Authentication Work? With Authentication Flow Diagram. We shall conclude. 

How Does PKI Authentication Work? With Authentication Flow Diagram Conclusion

Once again, it’s important to note that the above diagram highlights simple PKI authentication in a hierarchal trust model. Regardless, the distributed model largely functions on the same principles. However, it features additional complex steps. A good example would be EJBCA’s PKI package.

As you can see from the above simplified Authentitication Flow Diagram, EJBCA’s model contians multiple certificate and validations authority. This system is designed to protect both the client (user and device) and the server. 

The best way to understand PKI architecture and authentication is in philosophical or social terms. You trust your doctor because they are certified and licensed by an authority such as the Federation of State Medical Boards. Your doctor’s medical license is there to build trust. If anything goes wrong during a medical procedure, your doctor(s) can be held accountable. PKI authentication functions on this principle but with more stringent measures for verification. Hence, people see it as the foundation for Zero-Trust because it can facilitate the edict: “never trust, always verify.” Nevertheless, did you find this guide helpful? Please leave a comment down below. As always, thank you for reading.      

Take a look at more PKI content in our blog here

Avatar for Mduduzi Sibisi
Mduduzi Sibisi

Mdu is an Oracle-certified software developer and IT specialist, primarily focused on Object-Oriented programming for Microsoft and Linux-based operating systems. He has over a decade of experience and endeavors to share what he's learned from his time in the industry. He moonlights as a tech writer and has produced content for a plethora of established websites and publications - including this one. He's always open to learning and growing.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x