The general approach to handling keys using trusted entities and digital certificates has been formalized into a strategy called the public key infrastructure (PKI). PKI is the collection of hardware, software, policies, and procedures needed to manage digital certificates. The PKI process starts with a list of trusted entities and their public keys. A trusted entity is generally a certificate authority (CA) or a defined trusted source. Each computer system contains a list of public keys of trusted entities. A document that is encrypted with a trusted entity’s private key can be decrypted with the same entity’s public key.

When setting up a connection, you would first obtain a security certificate from a trusted entity. The formal PKI process would require you to request a certificate for the connection’s target, or other end, from the PKI registration authority (RA). The RA authenticates you and directs the CA to issue the certificate. You would decrypt the certificate using the CA’s public key. The certificate contains the public key for the target. Once the target’s public key is obtained, you can use it to encrypt messages that only the target can decrypt with its private key.