PKI: Public Key Infrastructure Explained
PKI is the cryptographic foundation of any reliable electronic signature. Discover how it works, its components, and its connection to X.509 certificates and the eIDAS regulation.
9 min
X.509 · PKI · eIDAS qualified certificate
Digital signature certificate and certificate authority
Behind every reliable digital signature sits an electronic certificate: a file that verifiably binds an identity (a person, a company) to a public key. Issued by a trusted certificate authority (CA), this certificate lets anyone verify a signature's authenticity and detect the slightest change to the document. This guide explains what a digital signature certificate is, how the chain of trust works (PKI, certificate authority, root certificate), what sets an eIDAS qualified certificate apart from an ordinary one, and how a signature stays verifiable even after the certificate is revoked or expires.
What is a digital signature certificate?
A digital signature certificate (or electronic certificate) is a file issued by a certificate authority that binds a public key to its holder's identity. In practice, when a signer applies their signature, the document is sealed with their private key; anyone holding the matching certificate can then use the public key it contains to verify two things: that the signature really comes from the identified holder, and that the document hasn't been modified since signing.
A certificate follows the X.509 standard and contains the holder's identity, their public key, the identity of the issuing certificate authority, a validity period, and the CA's signature guaranteeing it all. Its reliability rests not on the certificate alone but on the chain of trust that goes back to a recognised root authority. That chain — the PKI (Public Key Infrastructure) — turns a mere file into enforceable proof of identity.
The five key concepts of digital trust
A certificate never works alone: it belongs to an infrastructure whose essential components are below.
The X.509 certificate
X.509 is the standard format of an electronic certificate. It describes the file's structure: serial number, holder identity (subject), public key, issuer identity, validity dates, permitted uses, and the CA's signature. It is the universal format used for signing, encryption and website TLS certificates.
The certificate authority (CA)
A certificate authority (CA) is a trusted body that issues certificates and vouches for their holders' identity after verification. Qualified CAs are supervised by national authorities (ANSSI in France) and listed on the EU Trusted List. A CA can be a root, an intermediate or an issuing authority.
The PKI (public key infrastructure)
The PKI (Public Key Infrastructure) is the set of hardware, software, procedures and authorities that manage the certificate lifecycle: issuance, renewal, revocation, publication. It organises the chain of trust, from the root authority down to the end user's certificate.
The eIDAS qualified certificate
A qualified certificate is issued by a qualified trust service provider (QTSP) listed on an EU member state's trusted list. It offers the highest assurance level recognised in Europe and is the prerequisite for a qualified signature (QES), the only electronic signature automatically equivalent to a handwritten one.
Revocation (CRL & OCSP)
A certificate can be revoked before it expires (compromised key, departing employee, issuance error). Two mechanisms check whether a certificate is still valid: the CRL (list of revoked certificates published by the CA) and the OCSP protocol (real-time query of a certificate's status).
How the chain of trust is supervised
A certificate is only worth the trust placed in the authority that issued it. Four pillars guarantee that trust in Europe.
The certification chain
Each certificate is signed by an issuing CA, itself certified by an intermediate CA, up to a root CA whose certificate is self-signed and recognised by operating systems and browsers. Verifying a signature means walking that chain up to a trusted root.
The EU eIDAS Trusted List
Each member state publishes a Trusted List of its qualified providers and the services they offer. The European Commission aggregates these lists. A certificate issued by a QTSP on this list is recognised automatically across the entire European Union.
ANSSI and the RGS (France)
In France, ANSSI supervises qualified providers and publishes the General Security Framework (RGS), which defines the requirements for certificates used in exchanges with the public administration. It grants qualifications attesting a CA's compliance with these frameworks.
The ETSI EN 319 411 standards
The European ETSI EN 319 411 standards define the security policies and requirements a certificate authority must meet to issue recognised certificates, qualified or not. It is against these standards that an accredited body audits a QTSP before its listing on the Trusted List.
Simple, advanced or qualified certificate: what's the difference?
The certificate level determines the achievable signature level and its legal value. Here are the six dimensions that set them apart.
| Dimension | Simple certificate | Advanced certificate | Qualified certificate |
|---|---|---|---|
| Issuer | Any CA, with no particular supervision. | CA meeting enhanced security requirements (ETSI). | Qualified provider (QTSP) on the eIDAS Trusted List. |
| Identity verification | Weak — often just email validation. | Enhanced identity verification of the holder. | In-person or equivalent (certified video identification). |
| Signature level enabled | Simple signature (SES). | Advanced signature (AES). | Qualified signature (QES). |
| Legal value | Admissible, but burden of proof on the issuer. | Strong presumption of reliability. | Automatic equivalence with a handwritten signature. |
| EU recognition | No harmonised recognition. | Recognised, under conditions. | Recognised automatically across the European Union. |
| Typical use | Internal validation, acknowledgements. | Commercial contracts, HR, quotes. | Notarial deeds, public procurement, lawyer's deeds. |
Frequently asked questions — digital signature certificate
- What's the difference between an electronic certificate and a digital signature?
- The digital signature is the result of a cryptographic operation applied to a document; the electronic certificate is the file that proves who owns the key used to sign. Without a certificate, a digital signature is just an unverifiable string of bytes: it is the certificate, issued by a certificate authority, that binds the signature to a real identity and makes it verifiable.
- What is a certificate authority?
- A certificate authority (CA) is a trusted third party that verifies an applicant's identity, issues an electronic certificate binding their identity to their public key, and publishes the information needed to verify and revoke that certificate. Qualified CAs are supervised by national authorities (ANSSI in France) and listed on the European Union's trusted list.
- What is a qualified certificate?
- A qualified certificate is an electronic certificate issued by a qualified trust service provider (QTSP) listed on an EU member state's trusted list. It is the highest assurance level recognised in Europe and the prerequisite for a qualified signature (QES), the only electronic signature automatically equivalent to a handwritten one under the eIDAS regulation.
- What is PKI?
- PKI (Public Key Infrastructure) is the set of authorities, hardware, software and procedures that manage the lifecycle of electronic certificates: issuance, renewal, publication, revocation. It organises the chain of trust that links an end user's certificate to a recognised root authority.
- How do you check that a certificate is still valid?
- Beyond its validity period, a certificate may have been revoked (compromised key, issuance error). Two mechanisms check this: the CRL (Certificate Revocation List), a list of revoked certificates published regularly by the CA, and the OCSP protocol (Online Certificate Status Protocol), which queries a given certificate's status in real time. Signatures in PAdES B-LT/B-LTA format embed this data to stay verifiable over time.
- Do you need to buy a certificate to sign electronically?
- Not for most uses. For a simple (SES) or advanced (AES) signature, the signing platform manages the certificates — you have nothing to buy or install. An individual qualified certificate is only needed to issue qualified signatures (QES) on your own; otherwise the qualified certificate is provided on the fly by the partner QTSP at signing time, after verifying your identity.
- What is an X.509 certificate?
- X.509 is the international standard defining the structure of an electronic certificate. An X.509 certificate contains, among other things: the holder's identity (the "subject"), their public key, the issuing authority's identity, a serial number, a validity period, the permitted key uses, and the CA's signature sealing it all. It is the format used both for document signing and for the TLS certificates that secure websites.
To go further
Recommended articles
eIDAS 2 Certification for Signature Service Providers 2026
The eIDAS 2 regulation imposes new requirements on trust service providers. Discover the complete certification pathway to remain compliant in 2026.
9 min
Qualified Electronic Certificate for Business: 2026 Guide
The qualified electronic certificate is the legal foundation of any digital signature with high probative value. Discover how to obtain it, deploy it, and stay compliant in 2026.
9 min
Security
Electronic certificate and digital signature
What is an electronic certificate, what is it for and what is the link with the digital signature?
5 min
Security
Secure payment: e-commerce standards and certifications
4 min
Regulation
Secure Payment: Standards and Certifications
4 min
Sign with an eIDAS-recognised chain of trust
Certyneo relies on certificates issued by qualified trust service providers listed on the European Trusted List. SES and AES included, QES from €9.90/act.