Lesson 6: Implementing PKI

Question 1

A digital certificate

Answer 1

is a public assertion of identity, validated by a certificate authority (CA). As well as asserting identity, certificates can be issued for different purposes, such as protecting web server communications or signing messages.

Question 2

Public key infrastructure (PKI)

Answer 2

aims to prove that the owners of public keys are who they say they are. Under PKI, anyone issuing public keys should obtain a digital certificate.

Question 3

Certificate Authority (CA)

Answer 3

is the entity responsible for issuing and guaranteeing certificates

Question 4

Online CA

Answer 4

is one that is available to accept and process certificate signing requests, publish certificate revocation lists, and perform other certificate management tasks.

Question 5

Offline CA

Answer 5

is a secure configuration involved in making the root disconnected from any network and usually kept in a powered-down state. The root CA will need to be brought online to add or update intermediate Cas

Question 6

Registration

Answer 6

is the process by which end users create an account with the CA and become authorized to request certificates.

Question 7

Certificate Signing Request (CSR)

Answer 7

When a subject wants to obtain a certificate. The subject will complete a CSR and submits it to the CA.

Question 8

Registration Authorities (RAs)

Answer 8

RAs complete identity checking and submit CSRs (Certificate Signing Request) on behalf of the end users. They do not sign or issue certificates.

Question 9

Digital Certificates

Answer 9

Contains information about the subject and the certificate’s issuer or guarantor. The cert is digitally signed to prove that it was issued to the subject by a particular CA.

Question 10

CN (Common Name)

Answer 10

was used to identify the FQDN by which the server is accessed, such as www.comptia.org. CN is now deprecated.

Question 11

SAN

Answer 11

(Subject Alternative Name) – is structured to represent different types of identifiers, including domain names.

Question 12

Certificate Policies

Answer 12

define the different uses of certificate types issued by the CA.

Question 13

Server Certificate

Answer 13

guarantees the identity of e-commerce sites or any sort of website to which users submit data that should be kept confidential.

Question 14

Domain Validation (DV)

Answer 14

proving the ownership of a particular domain.

Question 15

Extended Validation (EV)

Answer 15

a process that requires more rigorous checks on the subject’s legal identity and control over the domain or software being signed.

Question 16

Machine/Computer Certificates

Answer 16

issuing certs to machines (servers, PCs, smartphones, tablets, DCs, member servers, thin clients etc.)

Question 17

Email/User Certificates

Answer 17

used to sign and encrypt email messages, using Secure Multipart Internet Message Extension (S/MIME) or Pretty Good Privacy (PGP)

Question 18

Code Signing certificate

Answer 18

issued to a software publisher

Question 19

Root Certificate

Answer 19

identifies the CA (Certificate Authority). It is self signed. Usually use a key size of 2048 bits but many providers are switching to 4096 bits.

Question 20

Key Management – refers to operational considerations for the various stages in a key’s life cycle. A Keys life cycle may involve these steps:

Answer 20

• Key generation—creating a secure key pair of the required strength, using the chosen cipher.
• Certificate generation—to identify the public part of a key pair as belonging to a subject (user or computer), the subject submits it for signing by the CA as a digital certificate with the appropriate key usage. At this point, it is critical to verify the identity of the subject requesting the certificate and only issue it if the subject passes identity checks.
• Storage—the user must take steps to store the private key securely, ensuring that unauthorized access and use are prevented. It is also important to ensure that the private key is not lost or damaged.
• Revocation—if a private key is compromised, the key pair can be revoked to prevent users from trusting the public key.
• Expiration and renewal—a key pair that has not been revoked expires after a certain period. Giving the key or certificate a “shelf-life” increases security. Certificates can be renewed with new key material.

Key management can be centralized, meaning that one administrator or authority controls the process, or decentralized, in which each user is responsible for his or her keys.

Question 21

M-of-N control,

Answer 21

meaning that of N number of administrators permitted to access the system, M must be present for access to be granted. M must be greater than 1, and N must be greater than M.

Question 22

Escrow

Answer 22

means that something is held independently. In terms of key management, this refers to archiving a key (or keys) with a third party.

Question 23

A certificate may be revoked or suspended:

Answer 23

revoked certificate is no longer valid and cannot be “un-revoked” or reinstated.

suspended certificate can be re-enabled.

Question 24

Certificate Revocation List (CRL)

Answer 24

informing users whether a cert is valid, revoked or suspended.

Question 25

Online Certificate Status Protocol (OCSP)

Answer 25

means of providing up to date information by checking the certificate status.

Question 26

Certificate “Pinning”

Answer 26

refers to several techniques to ensure that when a client inspects the cert presented by a server or a code-signed application, it is inspecting the proper certificate.

Question 27

Distinguished Encoding Rules (DER)

Answer 27

Cryptographic data—both certificates and keys—are processed as binary using DER.

Question 28

Privacy-enhanced Electronic Mail (PEM)

Answer 28

When the binary data is represented as ASCII text characters using Base64

Question 29

The PKCS #12 format

Answer 29

allows the export of the private key with the certificate. This would be used either to transfer a private key to a host that could not generate its own keys, or to back up/archive a private key. This type of file format is usually password-protected and always binary. (PKCS#12/ .PFX/ .P12)

Question 30

P7B format

Answer 30

implements PKCS #7, which is a means of bundling multiple certificates in the same file. It is typically in ASCII format.