Public and Private Keys
Within PKI, two digital keys are created: the public key and the private key. These keys are mathematically linked in such a way that data encrypted with one key can only be decrypted by the other, and vice versa.
The public key can (and should) be distributed to other communicating parties. In contrast, the private key is just that: private to the owner and not meant to be distributed to anyone. It is often encrypted by a passphrase.
As an example, if a user named Bob distributes his public key, user Alice could use it to encrypt a message and send it to him. Only Bob is able to decrypt and read the message because only he has his private key.
In this scenario, Alice still has to verify that the key that is supposedly from Bob is really from him. Suppose a malicious user posing as Bob sent Alice his own public key. The malicious user would then be able to decrypt Alice’s message, which might have been intended for Bob only.
To verify that it’s really Bob who is sending Alice his public key, a trusted third party can verify the authenticity of Bob’s public key. In SSL parlance, this trusted third party is known as a certificate authority. The CA signs Bob’s public key with its private key, creating a certificate. Now, anyone can verify the certificate’s authenticity using the CA’s public key.