PKI Fundamentals & Trust Context

Public Key Infrastructure (PKI) is the framework that allows secure communication over the internet. It relies on cryptographic keys and a chain of trust to verify identities.

Core Concepts

Understanding these two mechanisms is essential to understanding how TrustLab works.

1. Asymmetric Encryption

Secure communication relies on a pair of keys:

Public Key: Shared with everyone. Used to encrypt data.
Private Key: Kept secret. Used to decrypt data and sign digital assets.

2. The Chain of Trust

A certificate is only trusted if it is signed by a known authority. This forms a chain:

Root CA: The trusted anchor. It signs itself. You must install this on your device to trust the chain.
Intermediate CA: Signed by the Root CA. Used to sign day-to-day certificates for security.
Leaf Certificate: The final certificate used on your Web Server or Email.

The Two Lanes of Trust

The internet security model is built on two distinct "lanes". Mixing them up causes browser errors, but using them correctly provides Military-Grade Security.

Public Lane (Global)→Private Lane (Internal)→

Public PKI

Issuer: Let's Encrypt, DigiCert, Google Trust Services.
Trust Model: Pre-installed in every browser/OS (Chrome, Windows, iOS) by default.
Limitation: Cannot issue certificates for Private IPs (192.168.x.x) or Internal Domains (.local, .lan).

Private PKI (TrustLab)

Issuer: TrustLab Root CA (Your Organization).
Trust Model: Trusted ONLY by devices that have explicitly installed your Root CA.
Superpower: Can secure ANYTHING internal (Localhost, Database Servers, IoT).

Why "Military Grade"?

TrustLab utilizes OpenSSL, the same cryptographic core used by the world's highly secure networks.

Feature	TrustLab (Private)	Public CA (Paid)
Encryption	RSA-2048 / RSA-4096	RSA-2048 / RSA-4096
Signature	SHA-256	SHA-256
Protocol	TLS 1.2 / 1.3	TLS 1.2 / 1.3
Global Trust	(Manual Install)	(Pre-installed)
Internal IPs	Supported	Forbidden
Cost	Free	$400+/month (Private CA)

Appropriate Use Cases

The Golden Rule: Use TrustLab for anything the Public Internet CANNOT access. Use Public CAs for anything the Public Internet MUST access.

Perfect For (Green Lane)

Internal Tools: Admin Panels, HR Portals, Dashboards.
Development: Testing HTTPS on localhost or dev.local.
Databases: Securing connections to MySQL/Postgres/Mongo.
S/MIME: Encrypting email between internal employees.

Do Not Use For (Red Lane)

Public E-Commerce: Your customer's browser will show a "Not Secure" warning.
Public Blogs/Websites: Random visitors do not have your Root CA installed.

The "Trust Split" Myth

There is no conflict between having TrustLab installed and visiting public websites.

When you visit google.com, your browser uses the Public Lane.
When you visit intranet.corp, your browser sees the TrustLab signature and uses the Private Lane.

They coexist peacefully, providing comprehensive security for your entire digital life.

Access Dashboard Trust Architecture