6.4 Implement public key infrastructure

Question 1

CA

Answer 1

(certificate authority) A server that can issue digital certificates and the associated public/private key pairs.

Question 2

Intermediate CA

Answer 2

The intermediate CAs get certified from the root, then the intermediate CAs issue certificates to subjects (leafs or end entities)

Question 3

CRL

Answer 3

(certificate revocation list) A list of certificates that were revoked before their expiration date.

Question 4

OCSP

Answer 4

(Online Certificate Status Protocol) A means of checking a certificate’s status.

Question 5

CSR

Answer 5

(Certificate Signing Request) A Base64 ASCII file that a subject sends to a CA to get a certificate.

Question 6

Public Key

Answer 6

The component of asymmetric encryption that can be accessed by anyone.

Question 7

Private Key

Answer 7

In asymmetric encryption, the private key is known only to the holder and is linked to, but not derivable from, a public key distributed to those with which the holder wants to communicate securely.

Question 8

Online vs. offline CA

Answer 8

An online CA is one that is available to accept and process certificate signing requests, publish certificate revocation lists, and perform other certificate management tasks. Because of the high risk posed by compromising the root CA, a secure configuration involves making the root an offline CA.

Question 9

OCSP Stapling

Answer 9

Uses SSL/TLS to periodically obtain a time-stamped OCSP response from the CA.

Question 10

Certificate Pinning

Answer 10

Refers to several techniques to ensure that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate.

Question 11

Trust Model

Answer 11

A trust model shows how users and different CAs are able to trust one another.

Question 12

Key escrow

Answer 12

Refers to archiving a key (or keys) with a third party. This is a useful solution for organizations that don’t have the capability to store keys securely themselves

Question 13

Certificate Chaining

Answer 13

A method of validating a certificate by tracing each CA that signs the certificate, up through the hierarchy to the root CA. Also referred to as chain of trust.

Question 14

SAN

Answer 14

(Storage Area Network) A network dedicated to data storage, typically consisting of storage devices and servers connected to switches via host bus adapters.

Question 15

Code signing certificate

Answer 15

Issued to a software publisher, following some sort of identity check and validation process by the CA

Question 16

Self-signed certificates

Answer 16

Any machine, web server, or program code can be deployed with a self-signed certificate. Self-signed certificates will be marked as untrusted by the operating system or browser, but an administrative user can choose to override this.

Question 17

Machine/computer certificates

Answer 17

It might be necessary to issue certificates to machines (servers, PCs, smartphones, and tablets), regardless of function.

Question 18

Email certificates

Answer 18

An email certificate can be used to sign and encrypt email messages, typically using S/MIME or PGP.

Question 19

Root

Answer 19

The one that identifies the CA itself. The root certificate is self-signed.

Question 20

Domain validation

Answer 20

Proving the ownership of a particular domain. This may be proved by responding to an email to the authorized domain contact or by publishing a text record to the domain. This process can be highly vulnerable to compromise.

Question 21

Extended validation

Answer 21

Subjecting to a process that requires more rigorous checks on the subject’s legal identity and control over the domain or software being signed.

Question 22

Certificate formats

Answer 22

All certificates use an encoding scheme called Distinguished Encoding Rules (DER) to create a binary representation of the information in the certificate

Question 23

Certificate

Answer 23

An X.509 digital certificate is issued by a certificate authority (CA) as a guarantee that a public key it has issued to an organization to encrypt messages sent to it genuinely belongs to that organization.