Lesson 6 - Implementing Public Key Infrastructure Flashcards
Framework of certificate authorities, digial certificates, software, services, and other cryptographic components deployed for the purpose of validating subject identities.
Public key infrastructure (PKI).
Public key cryptography solves the problem of distributing encryption keys when you want to communicate securely with others or authenticate a message that you send to others.
A server that guarantees subject identities by issuing signed digital certifcate wrappers for their public keys.
certificate authority (CA).
The entity responsible for issuing and guaranteeing certificates.
Critical PKI concept, and shows how users and different CAs are able to trust one another.
The trust model i
A method of validating a certificate by tracing each CA that signs the certificate, up through the hierarchy to the root CA. Also referred to as chain of trust.
certificate chaining, or a chain of trust
In PKI, a CA that is available to accept and process certificate signing requests, publish certificate revocation lists, and perform other certificate management tasks.
online CA
In PKI, a CA (typically the root CA) that has been disconnected from the network to protect it from compromise.
offline CA
A Base64 ASCII file that a subject sends to a CA to get a certificate.
certificate signing request (CSR).
The CSR is a Base64 ASCII file containing the information that the subject wants to use in the certificate, including its public key.
In PKI, an authority that accepts requests for digital certificates and authenticates the entities making those requests.
registration authorities (RAs).
These entities complete identity checking and submit CSRs on behalf of end users, but they do not actually sign or issue certificates.
An X.509 digital certificate is issued by a Certificate Authority (CA) as a guarantee that a public key it has issued to an organization to encrypt messages sent to it genuinely belongs to that organization.
digital certificate.
Attributes:
Serial number - A number uniquely identifying the certificate within the domain of its CA.
Signature algorithm - The algorithm used by the CA to sign the certificate.
Issuer - The name of the CA.
Valid from/to - Date and time during which the certificate is valid.
Subject - The name of the certificate holder, expressed as a distinguished name (DN).Within this, the common name (CN) part should usually match either the fully qualified domain name (FQDN) of the server or a user email address.
Public key - Public key and algorithm used by the certificate holder.
Extensions - V3 certificates can be defined with extended attributes, such as friendly subject or issuer names, contact email addresses, and intended key usage.
Subject alternative name (SAN) - This extension field is the preferred mechanism to identify the DNS name or names by which a host is identified.
Series of standards defining the use of certificate authorities and digital certificates.
Public Key Cryptography Standards (PKCS)
An X500 attribute expressing a host or user name, also used as the subject identifier for a digital certificate.
common name (CN)
Field in a digital certificate allowing a host to be identified by multiple host names/subdomains.
subject alternative name (SAN)
A document that defines the different types of certificates issued by a CA.
Certificate policies.
A certificate type is set by configuring the the Key Usage attribute. The Extended Key Usage (EKU) field—referred to by Microsoft as Enhanced Key Usage—is a complementary means of defining usage.
A digital certificate that guarantees the identity of e-commerce sites and other websites that gather and store confidential information.
server certificate
Proving the ownership of a particular domain.
Domain Validation (DV)
