Public Key Infrastructure (PKI) uses certificates to verify users, devices, applications, and servers. As the internet expanded, so did PKI’s remit, from securing email communication and VPNs to underpinning web encryption with HTTPS, digital signatures and machine identity management. PKI now supports countless daily activities. It ensures that data isn’t altered in transit, provides cryptographic proof that a particular user or system approved a transaction or document, and enables automatic trust in millions of systems and devices without sharing passwords. This makes PKI an important tool to protect against phishing, spoofing of websites and services, man-in-the-middle attacks, eavesdropping and data interception, credential theft, impersonation, password-based attacks and data tampering.
Like a passport that proves identity, PKI issues digital certificates that confirm the identity of users, devices, or systems before any sensitive information is exchanged. PKI’s asymmetric cryptography uses a public key and a private key to lock and unlock sensitive data. These keys can be used by people, devices, and applications. When information is sent from one place to another, a trusted third party, a Certificate Authority (CA), acts like a passport office, and verifies identities and issues certificates that bind keys to real entities.
Maeson Maherry, COO of global PKI provider Ascertia, and the former CEO of local PKI company LAWTrust, says almost everyone has by now heard about the finance employee in Hong Kong who was duped out of millions by AI deepfakes on a video call in 2024.
He says the incident shows the importance of strong digital identities. “By ensuring that users, devices, and transactions are cryptographically verified, organisations can add a layer of trust that even sophisticated deepfakes or AI-driven scams cannot easily bypass.”
The goal is to allow citizens to open accounts and access services without needing any physical documents.
Beavin de Kock, iOCO
For financial institutions, PKI secures online banking sessions, improves identity verification, and protects APIs and open banking ecosystems. It also streamlines customer authentication and enables digital signatures for contracts and regulatory reporting. With the industrialisation of fraud, which sees cybercriminals using a range of tricks and technologies to execute their scams, PKI verifies identities, ensuring that only authenticated entities can access systems or complete transactions. So says Japhet Gana, group head of transaction risk and financial crimes at Yellow Card.
PKI is essential to the success of a real-time interbank payment system such as PayShap, says Beavin de Kock, MD of IP products at iOCO, and director at Impression Signatures. PayShap lets individuals and businesses send and receive money within seconds using a simple identifier. To date, the platform has processed over $2.5bn and uses PKI to ensure transaction authenticity, he says. PKI secures the payment instructions using the ISO 20022 global open messaging standard, which prevents alteration during transit. PKI also enables the unbanked to open accounts remotely via mobile wallets without visiting a physical branch or completing any paperwork. “Digital-only banks entering the market, like TymeBank and Bank Zero, don’t have branch networks and rely heavily on services like PKI to ensure that they can operate safely in open internet environments,” says De Kock.
Having a, ‘we’ll deal with it when it happens’ mindset and viewing PQC as a future problem, not an immediate threat, can increase future complexity and risk.
Maeson Maherry, Ascertia
PKI is also essential to the success of the government’s digital transformation initiatives, like MyMzansi, says De Kock. This Digital Public Infrastructure aims to transform how citizens, businesses, and government interact digitally. “PKI will be used for remote identity verification. The goal is to allow citizens to open accounts and access services without needing any physical documents, which is a significant friction point in customer onboarding for financial institutions.”
It’s also a fundamental component of Vision 2025, the South African Reserve Bank’s strategic roadmap, which looks to develop a safe, efficient and inclusive National Payment System.
THE INCREDIBLE SHRINKING LIFECYCLES OF DIGITAL CERTIFICATES
Digital certificate lifecycles are getting shorter. By March 2026, the validity period for digital certificates will shrink from 398 days to 200 days. By March 2027, lifecycles will decrease again to 100 days and by March 2029, the maximum lifetime for a TLS certificate will shrink to 47 days. For businesses using certificates to secure websites, encrypt data, or authenticate users, this means renewing certificates more frequently than in the past. The main driver behind the shrinking of certificate lifecycles is security. Shorter lifecycles reduce the window of opportunity for attackers to exploit compromised certificates. But shorter lifecycles put pressure on tech teams to be more diligent about certificate issuance and renewals.
According to Michael Horn, executive for technology at Altron Security, PKI adoption is typically constrained by certificate management issues, legacy systems, skills shortages, cost pressures, regulatory complexity and a lack of consistency. “These challenges often result in missed renewals, expired certificates, and configuration errors, which can cause unplanned outages and disrupt critical services.”
In 2020, Microsoft Teams went down for nearly three hours after a security certificate wasn’t renewed on time. Missteps can also affect internal services, such as APIs, VPNs, and infrastructure endpoints. Starlink experienced an outage in 2023 due to an expired ground station certificate. This prevented ground stations from communicating with the satellites for several hours.
According to a recent report from CyberArk, 56% of businesses have suffered unplanned outages due to expired certificates or configuration errors; 60% have experienced security exploits due to weak cryptography; 58% have suffered third-party certificate authority compromises; and 43% have experienced server private key theft.
Consider any of the big banks or financial services firms, which coordinate tens of thousands of certificates for users, devices, apps, and the cloud, says Altron’s Horn. If managing these certificates were done manually, it would likely involve a large spreadsheet with certificate particulars, such as expiry dates. “This process is incredibly inefficient, so we automate it.”
Many well-established players in the finance space still run legacy infrastructure such as mainframes, IBM AS/400s, and Unix systems, which make automation harder because older technologies weren’t designed for modern certificate management. To automate certificate lifecycle management on legacy systems, connectors are needed to fill in the gaps. “These gaps aren’t the end of the world, but they do require more work, and you have to write custom code to bring everything together,” Horn says. All of this underscores that without proper oversight, even the strongest PKI infrastructure can lead to outages, service disruptions, and security gaps. Realising the benefits of PKI requires disciplined management and operational controls.
Most experts estimate that cryptographically relevant quantum computers will emerge sometime in the next decade. For Maherry, no conversation about PKI can happen without unpacking how quantum computers could one day crack the encryption that secures our current digital identities and financial transactions. Traditional encryption methods are considered secure today because breaking them with classical computers would take an impractical amount of time. But quantum computers will be able to solve complex mathematical problems much faster than classical computers, he says. “This means that sensitive data intercepted now can be harvested and decrypted later.”
In response, governments, and the tech industry more broadly, are moving to implement post-Quantum Cryptography (PQC), which is a class of algorithms designed to resist attacks by quantum computers. PQC ensures that digital certificates, secure transactions, and customer data remain safe, even as quantum computers become more powerful and can break current encryption standards.
“But to do this effectively, it’s critical to identify and map all digital certificates across the IT environment and create a certificate inventory to prevent untracked certificates from opening the business up to security risks,” says Horn. Regulators around the world are already taking concrete steps to address the risks posed by quantum computing, but, says Maherry, some businesses are slow to respond because they don’t see the value of changing what they’re already doing. “We’re talking about very big transition programmes that need to be carefully executed and managed. But having a, ‘we’ll deal with it when it happens’ mindset and viewing PQC as a future problem, not an immediate threat, can increase future complexity and risk.”
In 2024, NIST said it would start replacing traditional public key cryptography by 2030, and would disallow it by 2035. It said integration into systems has historically taken between one and two decades. "Since sensitive data often retains its value for many years, starting the transition to post-quantum cryptography now is critical to preventing these future breaches. This threat model is one of the main reasons why the transition to post-quantum cryptography is urgent."
When Horn gives presentations on this topic, he has a slide that compares the eventual arrival of quantum computers to Y2K. “The big difference is that with Y2K, we had a clear deadline – midnight on December 31 1999. With quantum computing, there’s no exact timeline, which leads some to take a wait-and-see approach until we have a clearer idea of quantum technology’s progress. This is a mistake.”
* Article first published on www.itweb.co.za
Share
