Lesson 6: Implementing PKI Flashcards
A digital certificate
is a public assertion of identity, validated by a certificate authority (CA). As well as asserting identity, certificates can be issued for different purposes, such as protecting web server communications or signing messages.
Public key infrastructure (PKI)
aims to prove that the owners of public keys are who they say they are. Under PKI, anyone issuing public keys should obtain a digital certificate.
Certificate Authority (CA)
is the entity responsible for issuing and guaranteeing certificates
Online CA
is one that is available to accept and process certificate signing requests, publish certificate revocation lists, and perform other certificate management tasks.
Offline CA
is a secure configuration involved in making the root disconnected from any network and usually kept in a powered-down state. The root CA will need to be brought online to add or update intermediate Cas
Registration
is the process by which end users create an account with the CA and become authorized to request certificates.
Certificate Signing Request (CSR)
When a subject wants to obtain a certificate. The subject will complete a CSR and submits it to the CA.
Registration Authorities (RAs)
RAs complete identity checking and submit CSRs (Certificate Signing Request) on behalf of the end users. They do not sign or issue certificates.
Digital Certificates
Contains information about the subject and the certificate’s issuer or guarantor. The cert is digitally signed to prove that it was issued to the subject by a particular CA.
CN (Common Name)
was used to identify the FQDN by which the server is accessed, such as www.comptia.org. CN is now deprecated.
SAN
(Subject Alternative Name) – is structured to represent different types of identifiers, including domain names.
Certificate Policies
define the different uses of certificate types issued by the CA.
Server Certificate
guarantees the identity of e-commerce sites or any sort of website to which users submit data that should be kept confidential.
Domain Validation (DV)
proving the ownership of a particular domain.
Extended Validation (EV)
a process that requires more rigorous checks on the subject’s legal identity and control over the domain or software being signed.
Machine/Computer Certificates
issuing certs to machines (servers, PCs, smartphones, tablets, DCs, member servers, thin clients etc.)
Email/User Certificates
used to sign and encrypt email messages, using Secure Multipart Internet Message Extension (S/MIME) or Pretty Good Privacy (PGP)
Code Signing certificate
issued to a software publisher
Root Certificate
identifies the CA (Certificate Authority). It is self signed. Usually use a key size of 2048 bits but many providers are switching to 4096 bits.
Key Management – refers to operational considerations for the various stages in a key’s life cycle. A Keys life cycle may involve these steps:
- Key generation—creating a secure key pair of the required strength, using the chosen cipher.
- Certificate generation—to identify the public part of a key pair as belonging to a subject (user or computer), the subject submits it for signing by the CA as a digital certificate with the appropriate key usage. At this point, it is critical to verify the identity of the subject requesting the certificate and only issue it if the subject passes identity checks.
- Storage—the user must take steps to store the private key securely, ensuring that unauthorized access and use are prevented. It is also important to ensure that the private key is not lost or damaged.
- Revocation—if a private key is compromised, the key pair can be revoked to prevent users from trusting the public key.
- Expiration and renewal—a key pair that has not been revoked expires after a certain period. Giving the key or certificate a “shelf-life” increases security. Certificates can be renewed with new key material.
Key management can be centralized, meaning that one administrator or authority controls the process, or decentralized, in which each user is responsible for his or her keys.
M-of-N control,
meaning that of N number of administrators permitted to access the system, M must be present for access to be granted. M must be greater than 1, and N must be greater than M.
Escrow
means that something is held independently. In terms of key management, this refers to archiving a key (or keys) with a third party.
A certificate may be revoked or suspended:
revoked certificate is no longer valid and cannot be “un-revoked” or reinstated.
suspended certificate can be re-enabled.
Certificate Revocation List (CRL)
informing users whether a cert is valid, revoked or suspended.
Online Certificate Status Protocol (OCSP)
means of providing up to date information by checking the certificate status.
Certificate “Pinning”
refers to several techniques to ensure that when a client inspects the cert presented by a server or a code-signed application, it is inspecting the proper certificate.
Distinguished Encoding Rules (DER)
Cryptographic data—both certificates and keys—are processed as binary using DER.
Privacy-enhanced Electronic Mail (PEM)
When the binary data is represented as ASCII text characters using Base64
The PKCS #12 format
allows the export of the private key with the certificate. This would be used either to transfer a private key to a host that could not generate its own keys, or to back up/archive a private key. This type of file format is usually password-protected and always binary. (PKCS#12/ .PFX/ .P12)
P7B format
implements PKCS #7, which is a means of bundling multiple certificates in the same file. It is typically in ASCII format.
