import { Callout, Cards, Card } from 'nextra/components' import { ShieldCheck, ShieldAlert, BadgeCheck, Lock, Key, Link, CheckCircle2, XCircle } from 'lucide-react' # PKI Fundamentals & Trust Context **Public Key Infrastructure (PKI)** is the framework that allows secure communication over the internet. It relies on cryptographic keys and a chain of trust to verify identities. ## Core Concepts Understanding these two mechanisms is essential to understanding how TrustLab works. ### 1. Asymmetric Encryption Secure communication relies on a pair of keys: * **Public Key**: Shared with everyone. Used to **encrypt** data. * **Private Key**: Kept secret. Used to **decrypt** data and **sign** digital assets. ### 2. The Chain of Trust A certificate is only trusted if it is signed by a known authority. This forms a chain: * **Root CA**: The trusted anchor. It signs itself. You must install this on your device to trust the chain. * **Intermediate CA**: Signed by the Root CA. Used to sign day-to-day certificates for security. * **Leaf Certificate**: The final certificate used on your Web Server or Email. --- ## The Two Lanes of Trust The internet security model is built on two distinct "lanes". Mixing them up causes browser errors, but using them correctly provides **Military-Grade Security**. } title="Public Lane (Global)" href="#public-pki" arrow /> } title="Private Lane (Internal)" href="#private-pki-trustlab" arrow /> ### Public PKI * **Issuer**: Let's Encrypt, DigiCert, Google Trust Services. * **Trust Model**: Pre-installed in every browser/OS (Chrome, Windows, iOS) by default. * **Limitation**: **Cannot** issue certificates for Private IPs (`192.168.x.x`) or Internal Domains (`.local`, `.lan`). ### Private PKI (TrustLab) * **Issuer**: TrustLab Root CA (Your Organization). * **Trust Model**: Trusted **ONLY** by devices that have explicitly installed your Root CA. * **Superpower**: Can secure **ANYTHING** internal (Localhost, Database Servers, IoT). --- ## Why "Military Grade"? TrustLab utilizes **OpenSSL**, the same cryptographic core used by the world's highly secure networks. | Feature | TrustLab (Private) | Public CA (Paid) | | :--- | :--- | :--- | | **Encryption** | RSA-2048 / RSA-4096 | RSA-2048 / RSA-4096 | | **Signature** | SHA-256 | SHA-256 | | **Protocol** | TLS 1.2 / 1.3 | TLS 1.2 / 1.3 | | **Global Trust** | (Manual Install) | (Pre-installed) | | **Internal IPs** | Supported | Forbidden | | **Cost** | **Free** | $400+/month (Private CA) | ## Appropriate Use Cases }> **The Golden Rule:** Use **TrustLab** for anything the Public Internet CANNOT access. Use **Public CAs** for anything the Public Internet MUST access. ### Perfect For (Green Lane) * **Internal Tools**: Admin Panels, HR Portals, Dashboards. * **Development**: Testing HTTPS on `localhost` or `dev.local`. * **Databases**: Securing connections to MySQL/Postgres/Mongo. * **S/MIME**: Encrypting email between internal employees. ### Do Not Use For (Red Lane) * **Public E-Commerce**: Your customer's browser will show a "Not Secure" warning. * **Public Blogs/Websites**: Random visitors do not have your Root CA installed. ## The "Trust Split" Myth There is **no conflict** between having TrustLab installed and visiting public websites. * When you visit `google.com`, your browser uses the **Public Lane**. * When you visit `intranet.corp`, your browser sees the TrustLab signature and uses the **Private Lane**. They coexist peacefully, providing comprehensive security for your entire digital life.