A mobile ad hoc network (MANET) is the cooperative engagement of a collection of wireless mobile nodes without aid of any established infrastructure or centralized administration. The conventional security solutions to provide key management through accessing trusted authorities or centralized servers are infeasible for this new environment since mobile ad hoc networks are characterized by the absence of any infrastructure, frequent mobility, and wireless links. In this paper, we propose an on-demand, fully localized, and hop-by-hop public key management scheme for MANETs. It can be performed by generating public/private key pairs by nodes themselves, issuing certificates to neighboring nodes, holding these certificates in their certificate repositories, and providing an authentication service quickly adaptive to the dynamic topology of the network without relying on any servers. Also, our scheme can be performed successfully as long as there is a physical communication line between two nodes, and it is accustomed well to the on-demand routing of MANETs.