Four-layer digital identity issuance system with PKI infrastructure provisions password-protected certificates to citizens. Users submit enrollment requests through a web portal, which queries a SQL Server Civil Registry for validation, then generates a key pair and Certificate Signing Request (CSR) sent to a Standalone Root CA. The Root CA issues a signed certificate, which the system combines with the private key into a password-protected PFX file delivered securely to the citizen. This architecture demonstrates best practices for certificate lifecycle management, separation of PKI duties across layers, and secure credential delivery in government or enterprise identity programs. Fork this diagram on Diagrams.so to customize enrollment workflows, add HSM integration for Root CA key protection, or model certificate revocation processes.