PKI, Certificates, CA, CRL, and OCSP Explained for Beginners

Beginner-friendly PKI tutorial: public keys, X.509 certificates, Certificate Authorities, trust chains, SAN extensions, PEM and PFX formats, CRL vs OCSP revocation, TLS and mTLS handshakes—with diagrams and OpenSSL examples you can run on Linux.

Published

Updated

Read time 10 min read

Reviewed byDeepak Prasad

PKI, Certificates, CA, CRL, and OCSP Explained for Beginners

Certificate management sounds like a wall of acronyms—PKI, CA, CSR, SAN, CRL, OCSP—until you see how the pieces connect. This page is a concept-first guide for anyone new to TLS and OpenSSL: what each term means, how trust flows from a root CA down to your web server, and what happens during a TLS handshake before encrypted data moves.

I organized it the way most teams learn: keys and certificates first, then CAs and chains, then formats and revocation, then TLS and mutual TLS. Short OpenSSL commands appear where they make the ideas concrete; I ran them on Ubuntu 25.04 so you can compare your output. When you are ready to issue real certs, continue with the OpenSSL & PKI tutorial hub.

Tested on: Ubuntu 25.04 (Plucky Puffin); kernel 6.14.0-37-generic; OpenSSL 3.4.1.


Quick answer: what is PKI?

Public Key Infrastructure (PKI) is the framework that binds identities to public keys using digitally signed certificates. A Certificate Authority (CA) you trust signs a server’s certificate; your browser or API client validates that signature against trusted root CAs, checks expiry and revocation, then uses the server’s public key to set up encrypted TLS traffic.

Without PKI you still have encryption—but you cannot be sure you are talking to the real site, not an impostor with another key pair.


Glossary: terms you will hear daily

Term Plain meaning
PKI The whole system: keys, certs, CAs, trust stores, revocation
Asymmetric crypto Key pair: public key encrypts or verifies; private key decrypts or signs
X.509 Standard format for public-key certificates (versions v1–v3; v3 adds extensions)
DN (Distinguished Name) Text identity in a cert, e.g. CN=www.example.com,O=Acme
CSR Certificate Signing Request—unsigned request sent to a CA for signing
CA Entity that issues and signs certificates
Root CA Top of the chain; its cert is self-signed and stored in trust stores
Intermediate CA Sub-CA signed by root; signs end-entity (leaf) certificates
Leaf / end-entity cert Server, client, or user certificate used in production
SAN Subject Alternative Name—DNS names, IPs, emails the cert is valid for
Trust store OS or browser bundle of trusted root CA certificates
CRL Certificate Revocation List—periodic download of revoked serial numbers
OCSP Online Certificate Status Protocol—real-time good/revoked/unknown check
TLS / SSL Protocol that encrypts traffic; certificates authenticate the server (and sometimes the client)
mTLS Mutual TLS—both sides present and verify certificates

Public keys, private keys, and why trust matters

In asymmetric cryptography each party has a key pair:

  • The private key must stay secret. Whoever holds it can prove ownership of the matching certificate or decrypt data meant for that key.
  • The public key can be shared. It appears inside the certificate and is used during the TLS handshake.

Encrypting traffic alone is not enough. An attacker can present their own key pair and still speak TLS with you. PKI adds identity: a CA (or your internal policy) attests that this public key belongs to www.yourbank.com or your corporate VPN gateway.

NOTE
OpenSSL and Linux tutorials often say “SSL certificate.” Modern services use TLS 1.2 or TLS 1.3. The certificate format is the same; only the protocol name changed.

What is a digital certificate?

A certificate is a signed document that says: “this public key belongs to this identity, for this period, according to this issuer.” The most common format is X.509 version 3.

Diagram labeling Subject, Issuer, public key, validity dates, serial number, and X.509 extensions inside a certificate

Typical fields you will inspect with openssl x509:

Field What it tells you
Subject Who the cert is for (CN, organization, country)
Issuer Which CA signed it
Validity (notBefore / notAfter) When the cert is valid
Serial number Unique ID per issuer; used in revocation
Public key RSA, ECDSA, or Ed25519 key bound to the cert
Extensions SAN, key usage, basic constraints, EKU, etc.

On a lab host I issued a three-level chain (root → intermediate → server) and printed the leaf metadata:

bash
openssl x509 -in server.pem -noout -subject -issuer -dates -serial
text
subject=CN=www.example.test
issuer=CN=Demo Intermediate CA
notBefore=Jul  2 07:05:30 2026 GMT
notAfter=Jul  2 07:05:30 2027 GMT
serial=2B9CEB3E35AC58FCFAA75045A9D9F642B6A0CB1E

The issuer of the leaf should match the subject of the intermediate above it in the chain. To decode a file on disk, see View certificate with OpenSSL.


Certificate Signing Requests (CSR)

Before a CA signs your certificate, you usually generate a key pair locally and create a CSR. The CSR contains the public key and the name(s) you want in the certificate; it is signed with your private key so the CA knows you control that key.

Typical flow:

  1. Generate private key (openssl genrsa or openssl genpkey).
  2. Create CSR with desired DN and SAN (openssl req -new).
  3. Submit CSR to a CA (public CA, internal portal, or your own openssl ca).
  4. Receive signed certificate (and often intermediate chain files).

The CSR is not a certificate—it cannot enable HTTPS until the CA signs it. Pitfalls (wrong SAN, weak key size, missing extensions) are covered in Things to consider when creating a CSR and Generate CSR with OpenSSL.


Certificate Authorities and the chain of trust

A Certificate Authority issues certificates after it validates identity according to its policy. There are two broad classes:

Type Who uses it Examples
Public CA Internet-facing sites and services DigiCert, Sectigo, Google Trust Services, Let's Encrypt
Private CA Internal apps, VPN, mTLS meshes, dev clusters Your company's root CA on Linux

CAs are rarely a single hop. A root CA signs an intermediate CA; the intermediate signs your server certificate. Clients trust the root (preinstalled in the OS or browser); they build a path from leaf → intermediate → root.

PKI chain of trust from Root CA through Intermediate CA to server leaf certificate

The root certificate is self-signed: no higher authority exists, so the root signs itself and you explicitly trust it (public roots ship in trust stores; private roots are distributed by your IT team).

Verify a chain with OpenSSL once you have the PEM files:

bash
openssl verify -CAfile root.pem -untrusted intermediate.pem server.pem
text
server.pem: OK

Hands-on CA build: Create a Root CA on Linux and Build the certificate chain.


Common certificate types

Type Purpose Notes
Server TLS HTTPS, LDAPS, SMTPS Needs SAN matching every hostname clients use
Wildcard *.example.com One cert for many subdomains; SAN or CN pattern
SAN (multi-name) Several hostnames or IPs on one cert Standard for modern public CAs
Client Identifies a user or device to a service Used in VPN and mTLS
Code signing Signs software binaries Different EKU and key storage rules
Email (S/MIME) Sign or encrypt email Less common in DevOps guides

A self-signed certificate is signed by the same key that it contains—typical for a lab root CA or generate self-signed certificate on localhost. Browsers do not trust self-signed server certs unless you import them manually.


X.509 extensions that matter in production

Version 3 certificates carry extensions—extra rules beyond subject and public key:

Extension Why it matters
subjectAltName Hostnames and IPs clients must match (required for HTTPS in practice)
basicConstraints CA:TRUE for CAs; CA:FALSE for servers
keyUsage What the key may do (digitalSignature, keyEncipherment, keyCertSign, …)
extendedKeyUsage serverAuth, clientAuth, codeSigning, etc.
subjectKeyIdentifier / authorityKeyIdentifier Link certs in a chain

Example SAN on the lab server cert:

bash
openssl x509 -in server.pem -noout -ext subjectAltName
text
X509v3 Subject Alternative Name: 
    DNS:www.example.test

More examples: Subject Alternative Name and Add X.509 extensions.


Certificate file formats (PEM, DER, PKCS#12, PKCS#7)

The same logical certificate can be stored in different encodings:

Format Encoding Typical extensions Common use
PEM Base64 text with BEGIN/END lines .pem, .crt, .key Linux, nginx, Apache, OpenSSL CLI
DER / CER Binary .der, .cer Windows exports, Java keystores import
PKCS#12 Binary bundle (cert + key + chain) .pfx, .p12 Windows IIS, Java, Azure
PKCS#7 ASCII or DER cert bag .p7b, .p7c CA bundles from some vendors

Convert or inspect without guessing:

bash
# PEM text cert — human readable
openssl x509 -in cert.pem -text -noout

# Binary DER — add -inform DER
openssl x509 -in cert.cer -inform DER -text -noout

Export and import PKCS#12: Create PFX from CRT and KEY and Extract private key from PFX. Default OpenSSL paths on disk: OpenSSL config locations.


Revocation: CRL and OCSP

Certificates have an expiry date, but compromise or policy change can require early invalidation. Revocation answers: “should this serial number still be trusted?”

Certificate Revocation List (CRL)

The CA publishes a signed CRL file listing revoked serial numbers (until they expire). Clients or TLS libraries download the CRL periodically and reject listed certs. CRLs can grow large and stale between updates.

Online Certificate Status Protocol (OCSP)

The client sends the certificate serial number to an OCSP responder. The responder returns good, revoked, or unknown without downloading the full CRL. Stapling (OCSP stapling) lets the server attach a fresh OCSP response during TLS to save client round trips.

Comparison of CRL periodic list download versus OCSP real-time status query

Mechanism Pros Cons
CRL Simple offline model; works in locked-down networks Large files; delay until next CRL fetch
OCSP Fast per-cert check Responder must be online; privacy considerations

OpenSSL revocation labs: Revoke certificate and generate CRL and Revoke a missing or lost certificate.


How TLS uses certificates (handshake overview)

When a browser opens https://example.com, TLS negotiates encryption and authenticates the server. Simplified steps:

  1. ClientHello — client offers TLS versions and cipher suites.
  2. ServerHello — server picks parameters and sends its certificate (and often intermediates).
  3. Certificate validation — client builds a chain to a trusted root, checks hostname against SAN, expiry, and revocation (CRL/OCSP).
  4. Key exchange — client and server agree on session keys (modern TLS 1.3 uses fewer round trips than TLS 1.2).
  5. Finished — both sides confirm; application data flows encrypted with symmetric keys.
IMPORTANT
Always pass Server Name Indication (SNI) when testing with openssl s_client -servername hostname. Without SNI you may inspect the wrong certificate on shared hosting.

Quick live check (dates change when the site renews):

bash
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
  | openssl x509 -noout -subject -issuer -dates

Install a cert on a web server: Install SSL certificate on Nginx.


Mutual TLS (mTLS) in brief

Standard HTTPS (TLS) proves the server to the client. Mutual TLS also proves the client to the server—both sides present certificates.

Typical mTLS flow differences:

  1. Server sends its certificate as usual.
  2. Server requests a client certificate (CertificateRequest).
  3. Client sends its certificate; server validates chain and policy.
  4. Session keys are derived; both identities are established.

Use mTLS for service-to-service APIs, zero-trust meshes, and admin interfaces—not for ordinary public websites. End-to-end lab: Mutual TLS authentication.


Common misconceptions

Myth Reality
“A certificate encrypts traffic” TLS encrypts; the certificate identifies the peer and carries the public key
“CN alone is enough for HTTPS” Clients require SAN; CN-only certs fail hostname checks
openssl verify checks cert matches private key It checks chain trust only; use modulus or pubkey compare for key pairing (verify cert matches key)
“Self-signed is fine for production public sites” Visitors get warnings unless they manually trust your root
“Revocation never happens” Compromised keys and early reissues require CRL or OCSP

Next steps: hands-on OpenSSL lessons

This page is conceptual. The OpenSSL & PKI tutorial hub walks through each task in order:

Goal Start here
Install the CLI Install OpenSSL on Ubuntu
Issue SAN server certs Generate CSR and SAN certificate
Renew and revoke Renew SSL/TLS server certificate

References


Summary

PKI ties identities to public keys through signed X.509 certificates. You generate a private key and CSR locally; a Certificate Authority signs the CSR after validation; clients trust the result only if they can chain the cert to a root they already believe. Extensions such as SAN and key usage define where and how the cert may be used. PEM is the usual Linux format; PKCS#12 bundles cert and key for Windows and Java. When a cert must die early, CRLs and OCSP tell clients not to trust it. TLS uses that trust to set up encryption; mTLS adds client authentication. Use the diagrams and sample openssl output above as a map, then follow the OpenSSL tutorial hub for step-by-step commands on your own machine.

Frequently Asked Questions

1. What is PKI in simple terms?

Public Key Infrastructure (PKI) is the system of certificates, Certificate Authorities, and trust stores that lets computers verify who owns a public key. TLS on HTTPS relies on PKI so your browser can trust a server certificate before encrypting traffic.

2. What is the difference between a certificate and a private key?

The private key stays secret on the server or device. The certificate is a signed public document that binds a public key to an identity (hostname, organization, email). TLS uses the certificate in the handshake; only the holder of the matching private key can prove ownership.

3. What does a Certificate Authority do?

A CA checks identity (domain control, organization documents, or internal policy), signs a certificate with its private key, and publishes intermediates so clients can build a chain to a trusted root. Public CAs (DigiCert, Let's Encrypt) serve the internet; private CAs serve one company.

4. What is the difference between CRL and OCSP?

A CRL is a signed list of revoked certificate serial numbers that clients download periodically. OCSP is a live query: the client asks an OCSP responder whether one serial number is good, revoked, or unknown. Both answer the same question—has this cert been revoked before expiry?

5. Why do browsers require SAN on certificates?

Modern TLS clients match the hostname against Subject Alternative Name (SAN), not only the legacy Common Name (CN) field. A cert with CN=example.com but no SAN for that name often fails hostname verification even when the chain is valid.

6. Where should I start hands-on after reading this guide?

Install OpenSSL, then follow the OpenSSL tutorial hub: generate a key and CSR, build a small CA, issue a server cert, and inspect it with openssl x509. Links to each lesson are in the Next steps section at the end of this page.
Deepak Prasad

R&D Engineer

Founder of GoLinuxCloud with more than 15 years of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive …