Public Key Infrastructure (PKI)

Public Key Infrastructure, or PKI, is the system of cryptographic keys, digital certificates, and trusted authorities that makes a digital signature possible to verify. It rests on public-key cryptography, where each party holds a matched pair of keys: a private key that only they control and a public key that anyone can see. The private key signs, and the public key checks the signature. Because the two are mathematically linked but you cannot derive one from the other, a signature that the public key validates could only have been produced by the matching private key.

A signature on its own does not prove who you are; it only proves which key was used. PKI closes that gap with digital certificates. A certificate is an electronic document that binds a public key to an identity, such as a person, a company, or a server. The certificate is issued and digitally signed by a certificate authority (CA), an organization that other software is configured to trust. When your device checks a signature, it follows a chain from the signing certificate up to a CA it already trusts. If every link in that chain is valid and unexpired, the identity is accepted; if any link is broken, tampered with, or revoked, verification fails.

Three moving parts do most of the work. First, the key pair generates and verifies signatures. Second, the certificate authority vouches for who owns each public key and can revoke a certificate that has been compromised. Third, a hash function condenses the document into a short fixed-length fingerprint; the private key signs that fingerprint rather than the whole file. If even one character of the document changes afterward, the fingerprint no longer matches, which is what makes a properly built digital signature tamper-evident.

PKI is the machinery behind the higher tiers of the EU eIDAS regulation (Regulation (EU) No 910/2014). Advanced and qualified electronic signatures are defined around exactly this model: a signature uniquely linked to the signer, capable of identifying the signer, created with data the signer keeps under sole control, and able to detect any later change to the document. For most everyday e-signing, including sign.pink, you do not configure PKI yourself. The platform applies its own certificate to seal each finished document and records a tamper-evident audit trail, so signers get verifiable, reliable records without managing keys or certificates on their own.

Examples

• A signer's app validates a digital signature by tracing its certificate back to a trusted certificate authority before showing a green check.
• If a single character in a signed PDF is altered, the document's hash no longer matches the signed fingerprint, so PKI-based verification flags it as tampered.
• Under eIDAS, advanced and qualified electronic signatures rely on PKI to link a signature to the signer and detect later changes.
• A platform applies its own signing certificate to seal a completed document so anyone can later confirm it has not been modified.