Ch13 - 13.01 - Introduction to Public Key Infrastructure

Question 1

Review Ch12 - Key Points

Answer 1

As you also learned in the previous chapter, the recipient’s public key is used to encrypt a message, while the sender’s private key is used to digitally sign the message and prove who the sender of the message is (known as nonrepudiation).

Question 2

Certificates

Answer 2

A certificate is an electronic file that is used to store the public key (and sometimes the private key) and associates the public key with an entity such as a person or company. For example, if you are hosting a web site and wish to secure the communication, you need to configure the web server with a public key. You obtain a certificate (which contains the public key) and assign it to the web server in order to encrypt the communication.

Question 3

Certificates - Subject Attribute

Answer 3

Take special notice that the Subject attribute is set to www.certworld.loc. This is sometimes referred to as the common name of the certificate, and it should match the URL that users access for the application that uses the certificate

Question 4

Certificate Types

Answer 4

1. Wildcard
2. Subject Alternative Name (SAN)
3. Code Signing
4. Self-signed
5. Machine/computer
6. E-mail
7. User
8. Root
9. Domain Validation
10. Extended Validation

Question 5

Certificate Types - Wildcard

Answer 5

Certificates are assigned a common name when created,
and the common name matches the URL of the site or entity using the certificate. A wildcard certificate is a special certificate that can be applied to many URLs within the domain. For example, I could have a wildcard certificate of *.gleneclarke.com and it could be used on
servers such as:
www.gleneclarke.com,
mail.gleneclarke.com, and
login.gleneclarke.com.

Question 6

Certificate Types - Subject Alternative Name (SAN)

Answer 6

A subject alternative name (SAN) certificate is a certificate that can have multiple common names associated with the certificate. This is useful when the server runs multiple services and therefore will use multiple names. For example, I could have a SAN certificate for my Exchange server that holds the names mail.gleneclarke.com and autodiscover.gleneclarke.com. Without the use of a SAN certificate, I would need to purchase multiple single common name certificates.

Question 7

Certificate Types - Code Signing

Answer 7

A code-signing certificate would be used to digitally
sign application code that you create. When you sign the application code, you are digitally stamping the code to indicate where the code came from. Digitally signing the code also includes in the signature a message digest that is used to detect if someone alters the code.

Question 8

Certificate Types - Self-signed

Answer 8

A self-signed certificate is used by the root CA. Each
entity within the PKI needs a certificate. The root CA creates its own certificate (which is why it is called self-signed), while all other systems and users will obtain a certificate from the CA.

Question 9

Certificate Types - Machine/computer

Answer 9

A company may want to encrypt the communication between computers on the network. For example, a company may want to encrypt communication between its servers. In order to do this, each computer needs a machine (aka computer) certificate applied to it.

Question 10

Certificate Types - E-mail

Answer 10

An e-mail certificate is used to encrypt e-mail messages with the S/MIME protocol. The e-mail client software would need to be configured to use the certificate so that the e-mail messages are encrypted.

Question 11

Certificate Types - User

Answer 11

Just as a machine certificate is used by the computer, a user certificate is used by the user of the system to encrypt different types of information. For example, a user certificate can be used to encrypt data on disk with Microsoft’s Encrypting File System (EFS).

Question 12

Certificate Types - Root

Answer 12

When a PKI is created, the first certificate authority installed is known as the root CA. The root CA has a self-signed certificate that it uses to digitally sign every other certificate the CA creates. The certificate used by the root CA is known as the root certificate.

Question 13

Certificate Types - Domain Validation

Answer 13

A domain validation certificate, also known as a domain-validated certificate, is a certificate used for SSL/TLS where the request for the certificate is validated against the registered domain information. As part of the validation process, when you (as the administrator) request the certificate from the CA, the CA sends an email message to the administrator e-mail address associated with the domain. By replying to the e-mail from the CA, you prove you are the administrator of the domain and can receive the certificate.

Question 14

Certificate Types - Extended Validation

Answer 14

An extended validation certificate builds off the domain validation certificate by not only verifying the domain but also checking the organization information filled in with the certificate request (this part of the validation is actually called organization validation). The extended validation does all that, plus it also validates that the organization is a legal entity.

Question 15

Certificate Formats

Answer 15

1. DER/CER (.der, .cer)
2. PEM (.pem, .crt, .cer, .key)
3. PFX/P12 (.pfx, .p12)
4. P7B (.p7b, .p7c)

Also note that if exporting a certificate to include a private key, you use a .pfx file, but if you are exporting just the public key, you can use a .cer file.

Question 16

DER/CER

Distinguished Encoding Rules (DER) and Canonical Encoding Rules (CER)

Answer 16

Distinguished Encoding Rules (DER) and Canonical Encoding Rules (CER) are binary file formats used to store information in the certificate file. DER-formatted files can have a .der or a .cer file extension.

Question 17

PEM

Privacy-enhanced Electronic Mail (PEM)

Answer 17

PEM Privacy-enhanced Electronic Mail (PEM) is an ASCII file format that can have a file extension of .pem, .crt, .cer, or .key. PEM files are very common and start with
–—BEGIN CERTIFICATE–—

and end with

–—END CERTIFICATE–—.

Question 18

PFX/P12

Microsoft Environment - Personal Information Exchange (PFX)

Answer 18

PFX/P12 The Personal Information Exchange (PFX) format, also known as the P12 or PKCS#12 format, is a binary file format that is common with Microsoft environments for importing and exporting certificates. PFX formatted files have an extension of .pfx or .p12.

Question 19

P7B

Answer 19

The P7B format, also known as PKCS#7, is another ASCII file format used to store certificate information. If you open the ASCII file, you will see that
it begins with the text

–—BEGIN PKCS7–—

and ends with

–—END PKCS7–—.

P7B files can have an extension of .p7b or .p7c.

Question 20

Two Types of CAs

Answer 20

Public CA
A public CA is used to identify CAs that are in the business of selling certificates to other businesses so those certificates can be used in applications. The benefit of a public CA is that most applications (such as Internet Explorer) trust certificates that come from common public CAs, such as Entrust, Verisign, and GoDaddy.

Private CA
When an organization decides to create its own PKI, it is a private CA. This allows an organization to create its own CA and use
it to generate certificates for the organization. The benefit of using a private CA is that the organization does not have to pay for each certificate that is created.

Question 21

Subordinate CAs, aka. Intermediate CAs.

Answer 21

Depending on the size of the organization, you can create one or more subordinate CAs, also known as intermediate CAs. These CAs have their own certificate—issued and digitally signed by the root CA that they will use to digitally sign any certificates that they create. You might use subordinate CAs so that each office location has its own CA to issue certificates for that location, for example.

Question 22

Online vs. Offline CA

Answer 22

One of the reasons to have subordinate CAs, or intermediate CAs, is so that you can take the root CA offline. Taking the root CA offline means that you are disconnecting it from the network so that it cannot be hacked. Within a PKI, if there is a security compromise with a CA, whether it be a root CA or a subordinate CA, then every certificate below that point should be considered compromised. If the root CA were hacked, the entire PKI would be considered compromised because everything falls under the root CA. To prevent needing to re-create all certificates and subordinate CAs, you typically take the root CA offline once you have subordinate CAs to generate certificates for the rest of the company.

Once a subordinate CA has been created for each of the locations, you should then power off the root CA so that it is not compromised. If a security compromise occurs, anything from that point in the hierarchy down is considered compromised and invalid. Taking the root CA offline ensures the root level is not compromised.

Question 23

Registration Authority (RA)
(A small company may combine the roles of the RA and the CA, but would still ensure that the request is validated before creating the certificate.)

Answer 23

The registration authority (RA) is an important part of a PKI, as it is responsible for accepting certificate requests from clients and then validating the entity requesting the certificate.

The RA will follow the process determined by the security policy to validate any employee or device requesting a certificate. This typically involves the employee filling out an application for a certificate and then presenting identification and a reason for the request. Once the RA validates the request, it is passed to the CA to create the certificate.

Question 24

Repository

Answer 24

The repository is the database that stores the certificates and public keys. The repository should be available to all participants in the PKI structure so that they can obtain the public keys when needed.

The repository is usually an LDAP-compliant directory, which allows you to query the directory through LDAP. The database should be backed up on a regular basis.