What are the main building blocks of a Public-Key Infrastructure (PKI)?
Registration Authority (RA), Certificate Authority (CA), Verification Authority (VA) / Directory Service, Personal Security Environment (PSE), and the consuming Security Application.
| Block | Role |
|---|---|
| Registration Authority (RA) | Front desk — verifies the applicant's identity, collects documents, forwards the request to the CA |
| Certification Authority (CA) | Back office — signs certificates with the CA's private key |
| Verification Authority (VA) | Answers "is this cert still valid?" queries (OCSP responder) |
| Directory Service (DIR) | Public repository where certificates and CRLs are published (LDAP, HTTP) |
| Personal Security Environment (PSE) | The user-side storage for their private key — software keystore, smartcard, USB token, HSM |
| Security Application | The thing that uses certs — browser (TLS), email client (S/MIME), VPN, code-signing tool |
Why split RA and CA? Identity verification and signing are very different security boundaries. RA staff are often physically present (taking ID cards from people) — they shouldn't have access to the CA's signing key. The CA can sit in a vault, accept signed requests from the RA, sign, and publish.
PSE storage tiers (from least to most secure):
| Storage | Key extractable? |
|---|---|
| Soft-Token (password-encrypted file) | Yes — bytes are readable from disk |
| Smart card / Chip card | No — operations happen on-card |
| USB token (YubiKey, Nitrokey) | No — same as smartcard |
| Hardware Security Module (HSM) | No — server-grade, FIPS-certified |
Tip: For ordinary web use, your browser's keystore (a soft-token) is fine. For code-signing or high-value certs, use a hardware token — that way even malware on your dev machine can't exfiltrate the key, only request signatures.