6.4 Implement public key infrastructure Flashcards
CA
(certificate authority) A server that can issue digital certificates and the associated public/private key pairs.
Intermediate CA
The intermediate CAs get certified from the root, then the intermediate CAs issue certificates to subjects (leafs or end entities)
CRL
(certificate revocation list) A list of certificates that were revoked before their expiration date.
OCSP
(Online Certificate Status Protocol) A means of checking a certificate’s status.
CSR
(Certificate Signing Request) A Base64 ASCII file that a subject sends to a CA to get a certificate.
Public Key
The component of asymmetric encryption that can be accessed by anyone.
Private Key
In asymmetric encryption, the private key is known only to the holder and is linked to, but not derivable from, a public key distributed to those with which the holder wants to communicate securely.
Online vs. offline CA
An online CA is one that is available to accept and process certificate signing requests, publish certificate revocation lists, and perform other certificate management tasks. Because of the high risk posed by compromising the root CA, a secure configuration involves making the root an offline CA.
OCSP Stapling
Uses SSL/TLS to periodically obtain a time-stamped OCSP response from the CA.
Certificate Pinning
Refers to several techniques to ensure that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate.
Trust Model
A trust model shows how users and different CAs are able to trust one another.
Key escrow
Refers to archiving a key (or keys) with a third party. This is a useful solution for organizations that don’t have the capability to store keys securely themselves
Certificate Chaining
A method of validating a certificate by tracing each CA that signs the certificate, up through the hierarchy to the root CA. Also referred to as chain of trust.
SAN
(Storage Area Network) A network dedicated to data storage, typically consisting of storage devices and servers connected to switches via host bus adapters.
Code signing certificate
Issued to a software publisher, following some sort of identity check and validation process by the CA
Self-signed certificates
Any machine, web server, or program code can be deployed with a self-signed certificate. Self-signed certificates will be marked as untrusted by the operating system or browser, but an administrative user can choose to override this.
Machine/computer certificates
It might be necessary to issue certificates to machines (servers, PCs, smartphones, and tablets), regardless of function.
Email certificates
An email certificate can be used to sign and encrypt email messages, typically using S/MIME or PGP.
Root
The one that identifies the CA itself. The root certificate is self-signed.
Domain validation
Proving the ownership of a particular domain. This may be proved by responding to an email to the authorized domain contact or by publishing a text record to the domain. This process can be highly vulnerable to compromise.
Extended validation
Subjecting to a process that requires more rigorous checks on the subject’s legal identity and control over the domain or software being signed.
Certificate formats
All certificates use an encoding scheme called Distinguished Encoding Rules (DER) to create a binary representation of the information in the certificate
Certificate
An X.509 digital certificate is issued by a certificate authority (CA) as a guarantee that a public key it has issued to an organization to encrypt messages sent to it genuinely belongs to that organization.
