Public-key infrastructure (PKI) simplifies the distribution of public keys used in public-key authentication. PKI relies on digital certificates as an extension of traditional public keys. Certificate authentication is an extension of public-key authentication because it still uses public keys as the basis but greatly improves scalability. Instead of trusting several individual entities and maintaining a database of their public keys, it is enough to trust a single trusted party, a certification authority (CA).

Because of the improved manageability, security policies can be enforced more easily, and this in turn can result in increased overall security.

Certificates are digital documents that are used for secure authentication of the communicating parties. A certificate binds identity information about an entity to the entity's public key for a certain validity period. A certificate is digitally signed by a trusted third party who has verified that the key pair actually belongs to the entity. Certificates can be thought of as analogous to passports that guarantee the identity of their bearers.

The trusted party who issues certificates to the identified end entities is called a certification authority (CA). Certification authorities can be thought of as being analogous to governments issuing passports for their citizens.