PKI Concepts Flashcards
Certificate Hierarchy
is the ultimate authority as it holds the master key, also
known as the root key, for signing all of the certificates that it gives to the Intermediary
who issues the certificate to the requester
Online CA
An internal online CA is always up and running so that people in the
company can request a certificate at any time of the day or night. This would not be
the case in a government or top-security environment.
Offline CA
An offline CA is for a military or secure environment where clearance
and vetting must be completed before someone can be issued with a certificate. The
CA is kept offline and locked up when it is not being used. It is switched off so that
it cannot issue new certificates.
Public CA
also known as a third-party CA and is commercially
accepted as an authority for issuing public certificates.
Certificate Revocation List (CRL)
This is the first stage in checking whether a
certificate is valid. If the certificate is not valid, it will be entered into the CRL. If the
X509 is in the CRL, it is no longer valid and will not be accepted. No matter how
obscure the question posed in the exam, unless it is going slow or you are looking
for a faster lookup, it will be the CRL that provides certificate validity. No matter the
scenario, the CRL, is the default.
Certificate Pinning TIP
Certificate pinning prevents the compromising of the CA
and the issuing of fraudulent X509 certificates. It prevents SSL man-in-themiddle attacks.
Trust Anchor
A trust anchor in a PKI environment is the root certificate from
which the whole chain of trust is derived; this is the root CA
Trust Model
A trust model proves the authenticity of a certificate; there are two
trust models
Hierarchical Trust Model
This uses a hierarchy from the root CA down to the
intermediary (also known as a subordinate); this is the normal PKI model
Bridge Trust Model
The bridge trust model is peer-to-peer, where two separate
PKI environments trust each other. The certificate authorities communicate with
each other, allowing for cross-certification
Certificate Chaining TIP
This chain of trust is used to verify who the Certificate
Authority is. The chain normally has three layers, the certificate vendor, the vendor’s
CA, and the computer where the certificate is installed
Online Certificate Status Protocol (OCSP)
Only when the CRL is going slow will
the OCSP come into play. It is much faster than the CRL and can take a load from
the CRL in a very busy environment.
Tip
Certificate validity can only be done by the CRL or OCSP. The CRL is the
default, the OCSP is used when you are looking for a faster validation.
OCSP Stapling/Certificate Stapling
Certificate stapling, also known as OCSP
stapling, is used when a web server bypasses the CRL to use the OCSP for faster
certificate validation
Certificate Signing Request (CSR):
This is the process of requesting a
new certificate.
Key Escrow
The key escrow holds the private keys for third parties and stores them
in a Hardware Security Module (HSM), a device that can store digital keys
Hardware Security Module (HSM)
The HSM can be a piece of hardware attached
to the server or a portable device that is attached to store the keys. See the preceding
diagram for more on this.
Data Recovery Agent (DRA)
If a user cannot access their data because their
private key is corrupted, the DRA will recover the data. The DRA needs to get a
copy of the private key from the key escrow.
Certificates
There are two main certificate types: the public key and the private
key. The public key is sent to third parties to encrypt the data, and the private
key decrypts the data. If you think of the private key as your bank card, that’s a
thing you wouldn’t give away. The public key is the deposit slip that is tied to your
account. If you were in a room with 20 people who wanted to pay $20 into your
account, you would give them your deposit slip. You will always give your public
key away because when people are sending you encrypted data, they are using
your public key to encrypt. You will always use the recipient’s public key to encrypt
the data.
TIP
The Data Recovery Agent (DRA) needs a private key from the key escrow to
recover data
Object Identifier (OID)
The OID on a certificate is similar to a serial number
on a banknote. Banknotes are identified by their serial number. The certificate is
identified by its OID.
Certificate Formats
Certificate type Format File Extension
Private P12 .pfx
Public P7B .cer
PREM Base64 format .pem
DER Extension for PEM .der
Self-Signed Certificate
A self-signed certificate is issued by the same entity that is
using it. However, it does not have a CRL and cannot be validated or trusted. It is
the cheapest form of internal certificates and can be placed on multiple servers.
Wildcard
For a wildcard certificate for a domain called securityplus.
training, the wildcard certification would be *.securityplus.training
and could be used for the domain and a subdomain. For example, in the
securityplus.training domain, there are two servers called web and mail.
The wildcard certification is *.securityplus.training and, when installed,
it would work for the Fully Qualified Domain Names (FQDNs) of both of these—
web.securityplus.training and mail.securityplus.training. A
wildcard can be used for multiple servers in the same domain. If you want to use
one certificate, for example, on public-facing web servers then the wildcard is the
cheapest option
