PKI & Certificate Authority

Secure data over public networks

Public key infrastructure (PKI) is a cryptographic system designed to manage digital certificates. PKI involves asymmetric pairs of encryption keys. One key is public and encrypts information, and the other key is private and decrypts information.

PKI involves hardware-based key management servers which generate and manage the keys. This hardware also creates digital entities called certificate authorities (CA), which use digital certificates to authenticate objects, such as devices, users, or code. Futurex delivers public key infrastructure solutions through our FIPS 140-2 Level 3-certified key management servers.

Talk to an expertExplore solutions
PKI & Certificate Authority public key infrastructure

A wide range of functionality

  • Generate a root of trust (RoT)
  • Create expansive certificate trees
  • Assign digital certificate expiration periods
  • Export and import digital certificate files and requests
  • Sign and verify files with digital signatures
  • Secure email and other internal communications
  • Validate digital objects such as devices, users, and files
  • Track and revoke certificates with certificate revocation lists (CRLs)
  • Determine certificate policy such as an online certificate status protocol (OCSP)

PKI and CA

Public key infrastructure begins with a key management server to establish a certificate authority. The certificate authority (CA) is a digital cryptographic system that generates pairs of encryption keys. The cryptographic keys are asymmetric because one of the two is public while the other is private.

Digital certificates

The public key encrypts information before it travels across a public network. The private key decrypts the information after it reaches its destination. These asymmetric keys make up digital certificates. Digital certificates are issued to users or machines to provide them with a digital identity, allowing them to prove they are authorized to send or receive encrypted sensitive information through a secure channel.

In short

Think of the public key infrastructure as the means of creating, managing, and revoking digital certificates. PKI also refers to the security infrastructure that makes it possible. Such infrastructure can include HSMs, key management servers, and the security policies that govern their use.

Issuing CA

Issuing CA

An issuing CA determines which certificates an offline root CA can generate. Organizations must protect their issuing CA to ensure the root CA processes only valid certificate requests. Futurex provides hardware-based key management solutions with full PKI functionality and wide integration with third-party applications.

  • All-in-one box solution streamlines infrastructure
  • Registration authority (RA) verifies CA requests
  • APIs enable automation and integration
  • Certified under FIPS 140-2 Level 3

E-invoice signing

Applying digital signatures to electronic invoices ensures their authenticity. Digital signatures authenticate users with asymmetric pairs of public and private encryption keys backed by HSMs. Futurex provides key management solutions to create a certificate authority (CA) and public key infrastructure (PKI) to handle authentication and payment security.

  • Establish PKI for mutual authentication
  • Create and manage certificate trees with CA
  • Reduce operational costs
  • Increase payment security


To issue EMV compatible smart cards, organizations must establish an EMV certificate authority (CA). The EMV CA issues certificates and digital signatures to smart cards. These allow the cards to be validated by ATMs and point of sale (POS) terminals during payment transactions. Futurex offers a turnkey EMV CA capability to secure cards and payments.

  • Configure entire certificate trees
  • Manage key and certificate lifecycles
  • Deploy all-in-one turnkey CA service
  • Comprehensive data authentication: SDA, DDA, and CDA
PKI & Certificate Authority code signing

Code signing

Code signing certificates allow organizations to securely distribute code and establish trust among applications. Futurex provides HSMs and key management solutions on-premises and in the cloud to help manage certificates and refine workflow, all in a turnkey solution. Code signing certificates are stored within Futurex FIPS 140-2 Level 3-certified HSMs.

  • HSMs enable easy integration
  • Establish certificate authority (CA) and registration authority (RA)
  • Prevent certificate mismanagement
  • Define and implement issuance policies and granular permissions

Certificate management

Digital certificates allow organizations to identify and trust entities. Futurex provides key lifecycle management to establish a certificate authority (CA) and PKI on-premises or in the cloud. Organizations gain authentication, signing, and management capabilities through a turnkey solution backed by FIPS 140-2 Level 3-certified modules.

  • Mutual authentication
  • Instant issuance
  • Code and device signing
  • OCSP server and CRL distribution point
Post-quantum cryptography PKI

Post-quantum cryptography

Advances in quantum computing threaten to render some algorithms obsolete, such as RSA, ECC, and Diffie-Hellman. With Futurex PKI and Hybrid CA (HCA) technology, organizations can automatically update conventional encryption key algorithms to quantum-proof alternatives, all while centralizing key and certificate management.

  • Issue X.509 and quantum-safe certificates
  • OCSP and CRL functionality
  • Keys stored in FIPS-140-2 Level 3 HSMs
  • Remotely update algorithms as needed
Offline root CA PKI

Offline root CA

Securing the root CA guarantees the integrity of an organization’s public key infrastructure (PKI). This becomes more relevant as the number of connected devices grows. Futurex provides offline root CA secured by FIPS 140-2 Level 3-certified HSMs, in a turnkey, all-in-one box solution to establish a potentially global network of trust.

  • Protect private keys with FIPS-certified HSMs
  • Manage key lifecycles from a centralized platform
  • Deploy on-premises or through the cloud
  • Root CA allows for issuing CA, certificate trees, and PKI
securing payments through blockchain


Blockchain transactions rely on powerful encryption and robust digital signing, and Futurex provides FIPS 140-2 Level 3-certified HSMs to digitally sign transactions. Our key management solutions offer full key lifecycle management: generation, distribution, rotation, and revocation. Our devices offer full support for common interfaces such as KMIP and PKCS #11.

  • Secure cryptocurrency, smart contracts, code, and supply chain
  • Sign transactions using issuing CA backed by an offline root CA
  • Scale transaction processing (TPS) to the nth degree
  • Centralize key management with an intuitive user interface

IoT signing

Internet of things (IoT) manufacturers must secure their devices from the production floor to the field. Futurex provides key management solutions to create certificate authority (CA) and public key infrastructure (PKI). These solutions generate and manage digital certificates and device signatures. The result is a network of trusted devices on a potentially global scale.

  • Deploy on-premises or in the cloud
  • Offline root CA secures private keys
  • Issuing CA creates and manages certificate trees
  • FIPS 140-2 Level 3 HSMs offer high security


Certificate revocation lists (CRLs) and online certificate status protocol (OCSP) are important to certificate management. Not only does Futurex provide the HSMs and key management servers to establish a certificate and registration authority, but we also provide the tools to automate certificate management based on user-defined parameters.

  • Centralize certificate management
  • Configure certificate trees using CA
  • Track and revoke certificates with CRLs
  • Determine certificate policy with OCSP


Domain Name System Security Extensions (DNSSEC) involves authenticating domain names using digital signatures generated according to public-key cryptography, where cryptographic keys are created in asymmetric pairs. Futurex provides the most powerful, versatile, and secure key management technology on the market.

  • Powerful HSMs create keys for DNSSEC
  • Asymmetric encryption creates public/private key pairs
  • Private keys secured via offline root CA
  • PKI allows domain authentication
Any size, any scale. Any location.

Deployment: on-premises and the cloud

Using your own data center to deploy a Futurex technology solution on-premises provides unbeatable data privacy. This is especially relevant to PKI as a root CA must be kept on-premises and offline. However, some organizations find it simpler to deploy in the cloud, and thanks to the market-leading Futurex VirtuCrypt cloud technology, cloud-based PKI solutions are a reality.

Click here to see what subject matter experts have to say.

Learn more about VirtuCrypt

Want to learn more?

Contact a Solutions Architect today.

Give us a call

Futurex PKI & certificate authority customers