3.9 Given a Scenarior, Implement Public Key Infrastructure Flashcards
Public key infrastructure (PKI)
A Public Key Infrastructure (PKI) is a group of technologies used to request, create, manage, store, distribute, and revoke digital certificates.
Key management
Key management is the process of administering or managing cryptographic keys for a cryptosystem. It involves the generation, creation, protection, storage, exchange, replacement and use of said keys and with another type of security system built into large cryptosystems, enables selective restriction for certain keys.
Certificate Authority (CA)
A certificate authority (CA) issues, manages, validates, and revokes certificates. In some contexts, you might see a CA referred to as a certification authority, but they are the same thing. CAs can be large, such as Comodo, DigiCert, or Symantec, which are public CAs. A CA can also be small, such as a single service running on a server within a private network.
Intermediate CA
A CA that is signed by a superior CA (e.g., a Root CA or another Intermediate CA) and signs CAs (e.g., another Intermediate or Subordinate CA). The Intermediate CA exists in the middle of a trust chain between the Trust Anchor, or Root, and the subscriber certificate issuing Subordinate CAs.
Registration Authority(RA)
Users and systems request certificates from a CA using a registration process. In some cases, a user enters information manually into a web site form. In other cases, a user sends a specifically formatted file to the CA. Within a domain, the system handles much of the process automatically. As an example, imagine I wanted to purchase a certificate for GetCertifiedGetAhead.com for secure HTTPS sessions. I would first create a public and private key pair. Many programs are available to automate this process.
Certificate revocation list (CRL)
CAs use certificate revocation lists (CRLs) to revoke a certificate. The CRL is a version 2 certificate that includes a list of revoked certificates identified by their serial numbers.
Certificate’s attributes
Online certificate status protocol (OCSP)
OCSP allows the client to query the CA with the serial number of the certificate. The CA then responds with an answer of “good,” “revoked,” or “unknown.” A response of “unknown” could indicate the certificate is a forgery. Because OCSP provides a real-time response, it is an excellent example of supporting a common use case of low latency.
Certificate signing request (CSR)
A certificate signing request (CSR) is an encoded file containing information about your website, service, organization, and domain name. This information is used by a Certificate Authority (CA) to create an SSL/TLS certificate for your website to encrypt traffic to your site.
Common Name
CommonName (also known as the Fully Qualified Domain Name such as letsencrypt.org) • o: Organization (such as the Internet Security Research Group) • L: Locality (such as Mountain View) • S: StateOrProvinceName (such as CA) • C: CountryName (such as US)
Subject alternative name
A subject alternative name (SAN) certificate is used for multiple domains that have different names but are owned by the same organization. For example, Google uses SANs of *.google.com, *.android.com, *.cloud.google.com, and more. It is often used for systems with the same base domain names, but different top-level domains. For example, if Google used names such as google.com and google.net, it could use a single SAN certificate for both domain names.
Expiration
The first check is to ensure that it isn’t expired. If the certificate is expired, the computer system typically gives the user an error indicating the certificate is not valid.
Wildcard
A wildcard certificate starts with an asterisk (*) and can be used for multiple domains if each domain name has the same root domain. For example, Google uses a wildcard certificate issued to *.google.com. This same certificate can be used for other Google domains, such as accounts.google.com and support.google.com. Wildcard certificates can reduce the administrative burden associated with managing multiple certificates.
Code signing
Developers often use code signing certificates to validate the authentication of executable applications or scripts. The code signing certificate verifies the code has not been modified. As an example, a PowerShell script can use a code signing certificate to prove the script hasn’t been modified before it is run.
Self-signed
A self-signed certificate is not issued by a trusted CA. Private CAs within an enterprise often create self-signed certificates. They aren’t trusted by default. However, administrators can use automated means to place copies of the self-signed certificate into the trusted root CA store for enterprise computers. Self-signed certificates from private CAs eliminate the cost of purchasing certificates from public CAs.
Machine/computer
Certificates issued to a device or a computer are commonly called machine certificates or computer certificates. The certificate is typically used to identify the computer within a domain.
Email.
Email certificates are used for encryption of emails and digital signatures,
User.
Certificates can also be issued to users. They can be used for encryption, authentication, smart cards, and more. For example, Microsoft systems can create user certificates allowing the user to encrypt data using Encrypting File System (EFS).
Root.
The root certificate is the certificate issued by the root CA.
Domain validation.
A domain-validated certificate indicates that the certificate requestor has some control over a DNS domain. The CA takes extra steps to contact the requestor such as by email or telephone. The intent is to provide additional evidence to clients that the certificate and the organization are trustworthy.
Extended validation.
Extended validation (EV) certificates use additional steps beyond domain validation. Some browsers display the name of the company before the URL when an extended validation certificate is used. Usage of EV certificates is on the decline. Most web browsers stopped including the name in the URL. Part of the reason is that the absence of the company name doesn’t mean anything to many users. Think of the user who clicks on a phishing email. He probably doesn’t know to look for a company name in the URL, so its absence doesn’t alarm him.
Certificate formats
Most certificates use one of the X.509 v3 formats. The primary exception is certificates used to distribute certificate revocation lists that use the X.509 v2 format.
Distinguished Encoding Rules (DER).
CER and DER formats are defined by the International Telegraph Union Telecommunication Standardization Sector (ITU-T) in the X.690 standard. They use a variant of the Abstract Syntax Notation One (ASN.1) format, which defines data structures commonly used in cryptography. CER is an ASCII format and DER is a binary format.
Privacy enhanced mail (PEM)
The Privacy Enhanced Mail (PEM) certificate name implies that PEM-based certificates are used for email only, but that is misleading. PEM-based certificates can be used for just about anything.
