3.9 Given a Scenarior, Implement Public Key Infrastructure Flashcards
Public key infrastructure (PKI)
A Public Key Infrastructure (PKI) is a group of technologies used to request, create, manage, store, distribute, and revoke digital certificates.
Key management
Key management is the process of administering or managing cryptographic keys for a cryptosystem. It involves the generation, creation, protection, storage, exchange, replacement and use of said keys and with another type of security system built into large cryptosystems, enables selective restriction for certain keys.
Certificate Authority (CA)
A certificate authority (CA) issues, manages, validates, and revokes certificates. In some contexts, you might see a CA referred to as a certification authority, but they are the same thing. CAs can be large, such as Comodo, DigiCert, or Symantec, which are public CAs. A CA can also be small, such as a single service running on a server within a private network.
Intermediate CA
A CA that is signed by a superior CA (e.g., a Root CA or another Intermediate CA) and signs CAs (e.g., another Intermediate or Subordinate CA). The Intermediate CA exists in the middle of a trust chain between the Trust Anchor, or Root, and the subscriber certificate issuing Subordinate CAs.
Registration Authority(RA)
Users and systems request certificates from a CA using a registration process. In some cases, a user enters information manually into a web site form. In other cases, a user sends a specifically formatted file to the CA. Within a domain, the system handles much of the process automatically. As an example, imagine I wanted to purchase a certificate for GetCertifiedGetAhead.com for secure HTTPS sessions. I would first create a public and private key pair. Many programs are available to automate this process.
Certificate revocation list (CRL)
CAs use certificate revocation lists (CRLs) to revoke a certificate. The CRL is a version 2 certificate that includes a list of revoked certificates identified by their serial numbers.
Certificate’s attributes
Online certificate status protocol (OCSP)
OCSP allows the client to query the CA with the serial number of the certificate. The CA then responds with an answer of “good,” “revoked,” or “unknown.” A response of “unknown” could indicate the certificate is a forgery. Because OCSP provides a real-time response, it is an excellent example of supporting a common use case of low latency.
Certificate signing request (CSR)
A certificate signing request (CSR) is an encoded file containing information about your website, service, organization, and domain name. This information is used by a Certificate Authority (CA) to create an SSL/TLS certificate for your website to encrypt traffic to your site.
Common Name
CommonName (also known as the Fully Qualified Domain Name such as letsencrypt.org) • o: Organization (such as the Internet Security Research Group) • L: Locality (such as Mountain View) • S: StateOrProvinceName (such as CA) • C: CountryName (such as US)
Subject alternative name
A subject alternative name (SAN) certificate is used for multiple domains that have different names but are owned by the same organization. For example, Google uses SANs of *.google.com, *.android.com, *.cloud.google.com, and more. It is often used for systems with the same base domain names, but different top-level domains. For example, if Google used names such as google.com and google.net, it could use a single SAN certificate for both domain names.
Expiration
The first check is to ensure that it isn’t expired. If the certificate is expired, the computer system typically gives the user an error indicating the certificate is not valid.
Wildcard
A wildcard certificate starts with an asterisk (*) and can be used for multiple domains if each domain name has the same root domain. For example, Google uses a wildcard certificate issued to *.google.com. This same certificate can be used for other Google domains, such as accounts.google.com and support.google.com. Wildcard certificates can reduce the administrative burden associated with managing multiple certificates.
Code signing
Developers often use code signing certificates to validate the authentication of executable applications or scripts. The code signing certificate verifies the code has not been modified. As an example, a PowerShell script can use a code signing certificate to prove the script hasn’t been modified before it is run.
Self-signed
A self-signed certificate is not issued by a trusted CA. Private CAs within an enterprise often create self-signed certificates. They aren’t trusted by default. However, administrators can use automated means to place copies of the self-signed certificate into the trusted root CA store for enterprise computers. Self-signed certificates from private CAs eliminate the cost of purchasing certificates from public CAs.