Skip to content

What is a PKI, and walk me through how a client validates a server's certificate.

Short answer

A PKI is the system of CAs, certificates, and policies that binds public keys to identities. To validate a server cert a client builds a chain to a trusted root, verifies each signature, checks validity dates and the hostname, confirms key usage, and checks revocation via CRL or OCSP.

A Public Key Infrastructure (PKI) is the trust framework that lets you believe a public key actually belongs to who it claims to. Without it, public-key crypto is useless against an active attacker who can simply hand you their own key.

The components

  • Certificate Authorities (CAs) vouch for identities by signing certificates. Root CAs sit at the top; their certs ship pre-installed in operating systems and browsers as trust anchors.
  • Intermediate CAs are signed by roots and do the day-to-day issuing, so the root's private key can stay offline.
  • X.509 certificates bind a public key to a subject (like a domain name) plus metadata: validity dates, key usage, and the issuer's signature.
  • Revocation services (CRLs and OCSP) let a CA say "this cert is no longer valid" before it expires.

How validation actually works

When a client receives a server certificate, it:

  1. Builds the chain from the server cert up through any intermediates to a root it already trusts.
  2. Verifies each signature in the chain — every cert must be properly signed by the one above it.
  3. Checks validity dates — not before, not after.
  4. Matches the hostname against the certificate's Subject Alternative Names. A valid cert for the wrong domain is still a failure.
  5. Confirms key usage and constraints — e.g. the cert is allowed to be used for server authentication.
  6. Checks revocation via CRL or OCSP (often OCSP stapling, where the server presents a fresh signed status).

If every step passes, the client trusts the key and proceeds.

What interviewers look for

Many candidates stop at "it checks the CA." The strong answer names the chain of trust to a root anchor, signature verification at each link, and the easily-forgotten checks: hostname matching and revocation.

Likely follow-ups

  • What is the difference between a root CA and an intermediate CA?
  • How does OCSP stapling improve on plain OCSP?
  • What happens if a certificate is self-signed?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.