Chapter 6 PKI Flashcards
What is a PFX/.pfx extension?
or .p12 extension is used to export a certificate along with its private key. The file is password protected and can archive or transport a private key.
What is a P7B extension?
extension bundles multiple certificates into a single file. It is used to deliver a chain of certificates that are trusted by the processing host. It does not contain a private key
What is a CER?
an actual certificate that contains information about the subject like name and location. It is written in either binary DER or ASCII PEM data.
What is a CRT?
is the same as a .cer file extension. It is a basic certificate that contains information about the subject
How do public root certificates work?
Allow users to trust a website using the chain of trust to the root authority. Private organizations must load employee web browsers with internal root certificates to verify internal websites
What is Domain validation?
proving the ownership of a domain, which may be proved by responding to an email to the authorized point of contact. This process is highly vulnerable to compromise
What is the typical lifespan of a certificate
10+ years
When is a certificate usually renewed
Before it expires
What is meant by a certificate being rekeyed
When a new key is generated
What is stapling?
Mechanism used to mitigate performance and privacy issues when requesting certificate status from an OCSP responder
How is stapling used in securing privacy with OCSP?
by having the SSL/TLS web server periodically obtain a time-stamped OCSP response from the CA. When a client submits an OCSP request, the web server returns the time-stamped response, rather than making the client contact the OCSP responder itself.
What is pinning?
refers to several techniques to ensure that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate
How is Pinning implemented?
By embedding the certificate data in the application code. or by submitting one or more public keys to an HTTP browser via an HTTP header, which is referred to as HTTP Public Key Pinning (HPKP)
What is distinguished Encoding Rules (DER)
The binary format used to structure the information in a digital certificate. Like Cryptographic data-both certificates and keys
What is ASCII
7-bit code page mapping binary values to character glyphs. Standard ASCII can represent 127 characters, though some values are reserved for non-printing control characters.
What is a convention?
A three file character file extension
What convention is widely used for ASCII format files in Linux
.PEM
What does PKCS #12 format allow you to do?
export of the private key with the certificate.
On windows what extension would a PKCS #12 format have?
.PFX
What is the command to create a RSA key pair in Linux?
openssl genrsa -aes256 -out cakey.pem 4096
What are the steps to configure a Root CA?
- Setup a directory structure and adapt an OpenSSL config file
- Create an RSA key pair
- Use the RSA key pair to generate a self-signed root X.509 digital certificate
What are the steps to configure a Certificate Signing Request?
1.Create a CSR with a new key pair
2.Complete the prompts
3.Transmit the CSR file to the CA server
4. On the CA run the command to sign the CSR and output the X.509 certificate
Transmit the .pem file to the web server and update the server config to use it and the private key
What do you do when you have a certificate that has been working previously but doesnt work now?
Check that the cert. has not expired or been revoked or suspended
If you have a problem with a new cert. What should you do?
Check the key usage settings are appropriate for the app.
Check that the subject name is correctly configured and that the client is using the correct address
