3.9 Public Key Infrastructure PKI Flashcards
Define CA (3)
- Certificate Authority
- Verifies information and signs certificates
- Provides verification and validation of certificates
Define Intermediate CA (2)
- A CA with a subset of certificates under a CA
- Limits the scope of CA compromise to only the subset of certificates it contains
Define Registration Authority (RA)
- Decides if Certificate Signature Requests CSRs should be granted after verifying and validating the requestor
Define Certificate Revocation List (CRL) (2)
- A list of certificates that have been revoked and are not valid
- Certificates may be revoked due to compromise or valid changes/updates
Define Online Certificate Status Protocol (OSCP)
Used to expedite the process of validating a certificate, instead of downloading CRL(s) which can be huge
Define Certificate Signing Request (CSR)
Final step of creating a valid certificate where the public key is sent to CA/RA to be validated or “signed”
Define Common Name (CN) relative to certificates
The fully qualified domain name(s) for which the certificate is valid
Define Subject Alternative Name (SAN)
Alternate domain names for which the certificate is valid
Define distinguished encoding rules (DER) format for certificates (2)
- Binary format, typically used with Java
- Cannot be transferred via email, unless encoded with base64 which translates it to ASCII text, for example
Define P12 certificate format (2)
- Container format capable of storing multiple certificates, useful for transferring both public and private keys
- Container access can be password protected, allowing secure transfer, especially good for private key transfer
Define PFX certificate format (2)
- Microsoft’s implementation, nearly exactly like P12
- Used to store private keys
Define PEM certificate format (2)
- Plain ASCII representation of certificate
- Not secure for transferring private keys
Define CER certificate format (2)
- Used by Windows OS to store public certificates
- Supports DER and PEM format
Define P7B certificate format (3)
- ASCII text file that can be transferred via email
- Not secure for transferring private keys
- Widely supported by multiple OS
Define aspects of online CA (2)
- Best practice is to have intermediate CA with a subset of certificates online in the organization to sign certificates
- If compromised, only the subset of certificates on it need to be re-issued
Define aspects of offline CA (2)
- Best practice is keep the root CA offline (not network attached) to prevent it from being compromised
- If online, intermediate CA is compromised, certificates for a replacement CA can be generated from the root CA
Define stapling relative to certificates (2)
- Uses OSCP to eliminate need to check with CA to see if the certificate is revoked
- Status information for that certificate is digitally signed and stored on the local server and “stapled” to it
Define certificate pinning (2)
- A copy of a certificate is included “pinned” in the source code of an application, such as web browser
- When application connects to a server, it compares the copy of certificate provided by server to its pinned copy to ensure integrity
Define Web of Trust relative to certificates (2)
- If a certificate comes from an untrusted source, but is signed by a trusted source, you can trust it
- PGP uses this
Define trust escrow relative to certificates
A third-party is trusted with decryption keys
Define certificate chaining (2)
- Validation of a certificate across multiple intermediate CAs before finally reaching a root CA
- Requires that server must trust all CAs in the chain
