Certificates Flashcards
Security+
What is a public key certificate?
Binds a public key with a digital signature and details about the key holder.
What adds trust in a digital signature?
Certificate Authorities (CAs) and the Web of Trust provide additional trust.
Where can certificate creation be built into?
Part of Windows Domain services and through many third-party options.
What standard format do digital certificates use?
X.509
Name three details found in a digital certificate.
Serial number, issuer, public key.
What is the root of trust?
An inherently trusted component in IT security, such as hardware or software.
How can trust be built from something unknown?
Through approval from someone/something trustworthy.
What is the role of a Certificate Authority (CA)?
It digitally signs website certificates, establishing trust.
How are third-party CAs integrated?
They are built into web browsers to validate and trust websites.
What is a Certificate Signing Request (CSR)?
A request sent to a CA that includes a public key for signing after creating a key pair.
How does a CA validate a CSR?
By confirming DNS, emails, and website ownership.
What defines a private certificate authority?
An in-house CA that issues certificates for internal use within an organization.
What is a self-signed certificate?
A certificate signed by its own CA, used internally within a company.
What is a wildcard certificate?
A certificate that applies to all server names in a domain, using a wildcard (e.g., *.example.com).
What is a Subject Alternative Name (SAN)?
An extension to an X.509 certificate that lists additional identification information.
What is a Certificate Revocation List (CRL)?
A list maintained by a CA that contains revoked certificates for various reasons.
What was CVE-2014-0160?
The Heartbleed vulnerability that exposed private keys of affected web servers.
What happens when a certificate is revoked?
It is listed in the CRL, indicating it should no longer be trusted.
What can trigger key revocation?
Changes in security status, such as compromised private keys or expired certificates.
What does OCSP stand for?
Online Certificate Status Protocol
What is the primary purpose of OCSP?
To provide a scalable method for checking the status of certificates.
Who is responsible for responding to client OCSP requests?
The Certificate Authority (CA) is responsible for responding to all client OCSP requests.
What is a potential issue with the CA responding to OCSP requests?
It may not scale well with a large number of requests.
How does the certificate holder contribute to OCSP?
The certificate holder verifies their own status, with status information stored on their server.
What is “OCSP stapling”?
OCSP status information is stapled into the SSL/TLS handshake, digitally signed by the CA.
How does a browser retrieve certificate revocation details?
The browser sends messages to an OCSP responder via HTTP to check for certificate revocation.
Why is OCSP preferred over CRLs for revocation checks?
OCSP is more efficient than downloading a Certificate Revocation List (CRL).
Do all browsers support OCSP?
No, not all browsers or applications support OCSP; early versions of Internet Explorer did not support it.
What is a limitation of some browsers regarding OCSP?
Some browsers may support OCSP but do not actually check for certificate revocation.
