Cyber Security

PKI Concepts

A public-key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.


In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA). The RA ensures that the public key is bound to the individual to which it is assigned in a way that ensures non-repudiation.

On the Internet, a PKI refers to a system for the creation, storage, and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity. Certificates can be implemented in software securely distributed and managed or in physical tokens. A popular token in use today is the Comman Access Card (CAC).

More information on PKI is available here.

Web Site Wikipedia: Public-key Infrastructure

Web Site DISA IASE: About PKI and PKE

Web Site Wikipedia: Common Access Card

Certificate Concepts

Certificates are used to set up a secure connection to an internet website. This includes authentication of the server and establishing an encrypted session with the web server to protect your information from being intercepted and read by unauthorized people or machines. The technical name for the secure session is Transport Layer Security (TLS), but this is more commonly referred to by the original terminology Secure Socket Layer (SSL).

When you first connect to any of our BCT-LLC secure sites, your web browser checks the certificate for these sites, and if you have not previously established a chain-of-trust for BCT-LLC servers by installing our root certificate, your browser has no way of knowing that you trust our servers. It lets you know this with a warning, which you can safely choose to ignore. These warnings are intended to protect people against spammers and phishers who use fake links that people click but do not really know to whom they are connecting.

The chain-of-trust is an unbroken sequence of trusted connections beginning with a trusted root authority and ending with the individual user. All that a certificate warning is checking is whether or not the web site's name has been verified by someone you trust; either a specific root certificate authority you have installed, or from one of the commercial companies that sell certificates for verified web sites.

Microsoft, Apple, FireFox, Oracle, and other vendors operate programs to qualify and pre-install trusted root certificate authorities as part of their software. For a price, these vendors will pre-install root certificate authorities. You should note that this list includes a large number of commercial firms who sell certificates to customers as a revenue stream. This list of default trusted root certificate authorities also includes many foreign governments.

We believe that our own directly assigned chain-of-trust is more relevant than Microsoft's or Apple's defaults. If you believe that you are receiving our BCT LLC root certificate authority in a secure manner from a source that you know (such as this web site), then you can safely receive and install our root certificate as trusted, and the warnings will go away. If you want additional verification for your "chain of trust", then call us on the phone and we will verbally verify the certificate. You can download the certificate yourself from this web site.