If you’ve ever opened your ~/.ssh, or ~/k8s-certs folder and thought; “Wait, which key is this for again?”, you’re not alone.

👉 Not a Medium member? You can read it here.

We all generate public/private key pairs; for SSH, for TLS, for Kubernetes, for APIs, but somehow they all end up looking the same.
.key, .crt, .pem, .pub, .csr… it’s like cryptographic alphabet soup.

The problem isn’t the math — it’s the use cases.

When should you use SSH keys?
When do you need a TLS certificate?
When does a Certificate Authority (CA) need to sign anything?
And why do some keys work fine without ever talking to a CA?

This article won’t just tell you what PKI (Public Key Infrastructure) is, it will tell you when to use what, why the tools and formats are different, and how to stop treating all crypto keys like they’re the same person in different hoodies.

Let’s go.

First, a public/private key pair is just math.