Public Key Infrastructure

Question 1

What is PKI?

Answer 1

Public Key Infrastructure.
This is the process of managing digital certificates.
This is a big big endeavor with need for lots of planning.
This also refers to the binding of public keys to people or devices. This is something that is centrally located in the certificate authority(CA).

Since the CA becomes the core method of trust for all of these signatures and all of the trust related to that it becomes a very important part of your infrastructure.

Question 2

What is the key management lifecycle in PKI?

Answer 2

We usually create these keys with an expiration date so once the key expires the process needs to start over again.

Key generation - keys need to be created with the requested strength and with the proper cipher
Certificate generation - allocating keys to users
Distribution - making the key available to the user
Storage - securely store and protect against unauthorized use
Revocation - Manage keys that have been compromised

Question 3

What is a digital certificate?

Answer 3

A public key certificate.
A public key is combined with a digital signature.
Usually the digital signature is from a certificate authority.
These digital certificates may also include other details about the key holder.

This is all part of adding additional trust.

Question 4

What is a commercial certificate authority and how does it differ from a CA in your personal enterprise network?

Answer 4

Commercial CAs are built into your browser by default and are for more large scale certificate use than that of the ones inside your company. These can be for the purpose of an entire website.

Commercial CAs allow you to purchase a web site certificate for your web site and make it trusted by everyone’s browser.
This would happen by creating a key pair on your machine, and then providing a public key to the CA to be signed.
A number of steps would happen before they signed it to make sure you are who you say you are and your website is safe, and then they would sign your certificate.
This request for a CA to sign your certificate is called a “certificate signing request” or a “CSR”

Question 5

What is a private certificate authority?

Answer 5

Your company is their own CA, you build it in house for your devices and users to trust each other’s communications.
Your devices must trust the internal CA.
This is needed for medium to large organizations.

Question 6

What is the difference between having a single CA in your organization and a hierarchy of CAs?

Answer 6

In a single CA environment there is just one CA that everyone receives their certificates from.

In a Hierarchical environment there are many different CAs all working together.
A single root CA issues certs to Intermediate CAs
Those intermediate CAs give certs to Leaf CAs.
This distributes the certificate management load and also makes it easier to deal with if a particular CA is compromised and you need to revoke all of the certificates it signed.
You can remove a Leaf CA and the intermediate and root CA will still remain valid.
Root CA—>Intermediate CA—>Leaf CA

Question 7

What is registration authority? (RA)

Answer 7

When an entity requests a certificate it needs to be verified (think big picture like web servers for websites, not an internal network).
The RA(registration authority) will be responsible for identifying and authenticating the requester.
They are also responsible for revoking certificates and renewing certificates.

Question 8

Inside of a certificate what is the common name? (CN)

Answer 8

This is the FQDN for the certificate.

If you’re connecting to a site and the address you typed in does not match the FQDN on the certificate you will get a message in your browser saying “your connection is not private, etc”

You can also add alternative names to it so that you could support “google.com” and “www.google.com” etc.
This is called the “Subject alternate name” attribute.

Question 9

What is a Certificate revocation list? (CRL)

Answer 9

Certificate revocation list.
This is a giant list of revoked certificates that is stored at the CA.
Can contain many revocations in one large file for that one certificate’s history.

Question 10

When downloading a large CRL file sometimes it isn’t very practical. What is a more efficient way of doing this?

Answer 10

OCSP (Online Certificate Status Protocol)
This is something built into our browser that can perform a single check just for this certificate to see if that certificate may have been associated with something revoked.
Messages are usually sent to an OCSP responder via HTTP which usually exists at the CA.

Question 11

What are domain validation certificates? (DV)

Answer 11

These allow you to encrypt communication to a web server.
We refer to these by a lock next to your address bar.
This provides trust that the owner of this certificate has some control over a DNS domain.

Question 12

What are Exntended Validation certificates? (EV)

Answer 12

This proves that additional checks have verified the certificate owners identity.
Browsers used to show a big green name next to the address bar for these, but now they all show just the lock.

Question 13

What is a Subject Alternative Name certificate? (SAN)

Answer 13

This is an extension to an X.509 certificate(normal certificate).
Lists additional identification information and allows a certificate to support many different domains.
These can use a wildcard in them like *
An example of this would be SAN certificate for *.professormesser.com which would apply to “www.professormesser.com” “professormesser.com” “ftp.professormesser.com” etc

Question 14

What is a code signing certificate?

Answer 14

This is used by developers to provide a level of trust that the program that you are installing is exactly the same executable as the one that was distributed by the manufacturer, and has not been modified in any way.

Question 15

What is a Root Certificate?

Answer 15

If you’re building a public key infrastructure (PKI) you’re starting with a CA. And that certificate needs a starting point.
That starting point is a root certificate.
All of the certificates and additional CA certificates are starting with this root certificate.
Certificates will be signed first by this root CA and then signed by everything downstream from there
(intermediate CAs, Leaf CAs).

If someone were to gain access to this root certificate they will be able to create any type of certificate for your organization, so there is a LOT of emphasis put on the security of this certificate.

Question 16

What are self signed certificates?

Answer 16

These are internal certificates that don’t need to be signed by a public CA, and are only used by your company.
No need to purchase trust for devices that already trust you.
You need to build your own internal CA for this to function and issue your own certificates signed by your own CA.
This also means that you need to install the CA certificate/trusted-chain on all devices in your network, and they will now trust any certificates signed by your internal CA.

Question 17

What are machine and computer certificates?

Answer 17

These are a certificate built for a specific piece of software to provide trust during the authentication process.
A good example of this would be someone accessing your internal network remotely from the VPN tunnel and before it gains access to the network the VPN provides an additional set of authentication to check for that certificate. And if that machine validates properly, we know it is trusted by the rest of the organization.

Question 18

How to email certificates work and what do they enable?

Answer 18

They allow you to use cryptography in an email platform.
If you want to encrypt an outbound email you will use the recipients public key to encrypt.
If you decrypt an email you are receiving you use your private key to decrypt.

These email certificates can also be used for digital signatures. So that the person receiving your email can validate that everything in your email is exactly how it was when it was sent.

Question 19

What are user certificates?

Answer 19

These are a powerful electronic ID cards associating a certificate with a user.
You can attach devices via USB that will check for a certificate and limit access if you don’t have it.

Question 20

What is the standard structure of certificates called?

Answer 20

X.509

The structure of the certification is standardized.
the format of the actual certificate file can take many different forms.

There are many different file formats for certificates though.
Luckily there are programs like openssl that can read different formats or even convert between different formats if we need to.

Question 21

What is DER format? (distinguished encoding rules)

Answer 21

This is a format designed to transfer syntax for data structures and it is a very specific encoding format.
It also happens to be perfect for an X.509 certificate.
It is a binary format which means we can’t bring it up in a text editor and read anything that might be in there, but it is a very common format that you will see when deploying things using java.

Question 22

What is PEM format? (privacy enhanced mail)

Answer 22

This is a BASE64 encoded DER certificate.
Generally this is the format provided by CAs and is supported by many different platforms.

Allows you to receive a certificate in ascii format encoded in base64 and then decode it from that, instead of sending it as an attachment which may be modified.

Question 23

What is PKCS#12 format? (public key cryptography standards #12)

Answer 23

Usually a .p12 or .pfx file extension.
This is what you want to use if you are trying to transfer multiple certificates at once.
Used interchangeably with the name “PFX” which is because this is an extension of Microsoft’s PFX format.
This is a container format, so you have a standard format that you can put many certificates inside.
Often used to transfer a private and public key pair.
The container can be password protected.

Question 24

What is CER format? (certificate)

Answer 24

Primarily a file extension in windows. (“.CER”)
If you’re using a windows machine you’re probably using the CER format
Provides flexibility to choose between encoding as the binary DER format or the ASCII PEM format.
This is usually just containing a public key because if you were transmitting a private key you would want to transfer it in the .pfx format with a password.

Question 25

What is the PKCS #7 format? (public key cryptography standards #7)

Answer 25

Sent as a .p7b file
Stored in ASCII format that can be easily read and transferred over email.
Contains certificates and chain certificates.
Private keys are not included in a .p7b file

Question 26

What is the difference between an online CA and an offline CA?

Answer 26

A compromised CA is a very very bad thing. Especially a root CA.
For this reason we can take a root CA completely offline while all of the intermediate CAs handle all of the load and sign certificates, since they are trusted through association to the root CA. In this instance the root CA would be an offline CA and the intermediate CAs and leaf CAs under them would be online CAs.
If one of these Intermediate CAs were compromised it would limit the scope to just certificates signed by that specific CA and not make us have to tear down our entire PKI.

Question 27

What is OCSP stapling?

Answer 27

This uses the Online Certificate Status Protocol.
It provides scalability for OCSP checks.
The CA is responsible for responding to all client OCSP requests, this may not scale well.
Instead, using OCSP stapling, the certificate holder can “staple” their current certificate status on their own local server.
The OCSP status is “stapled” into the SSL/TLS handshake.
This makes it so that you don’t have to reach out to an external CA server and can instead just do it right in the handshake when you load a site.

Question 28

What is certificate “pinning”?

Answer 28

This is to “pin” the expected certificate or public key to an application so that you can compare it against the certificate you get from the server.
This needs to be compiled in the app or added at the first run of the application.
This means that a check will take place when it connects to that server to ensure that the certificate from that server matches the certificate inside of the application.

Question 29

How is a mesh trust relationship between internal CAs different than a hierarchical trust relationship?

Answer 29

There is a big mesh of CAs that all cross certify each other and every CA trusts every other CA.
This really doesn’t scale well.

Whereas a hierarchical trust relationship is like a pyramid.

Question 30

What is a web-of-trust

Answer 30

This is alternative to a traditional PKI
This is used in PGP.
In a web of trust, you sign certificates of people you know, and they sign certificates of people THEY trust.
That means that if you happen to see a certificate from someone you don’t know, but that certificate has been signed by someone you DO know then there is a level of trust you can associate with them.

Question 31

What is a mutual authentication trust relationship in regards to certificates?

Answer 31

This is where the server authenticates to the client and the client also authenticates to the server.

Question 32

What is key escrow?

Answer 32

This is when a 3rd party has your decryption keys (private keys).
This can be a legitimate business arrangement.
There needs to be very clear processes and procedures in place for this kind of arrangement so that you know when they will be using them.
And you need to trust that they can keep them safe.

Question 33

in certificates, what is a chain of trust?

Answer 33

This is a listing of all the certs between the server and the root CA.
This chain starts with the SSL certificate that we are connecting to and it ends with the root CA.
Any certificate that is between the SSL certificate and the root certificate is a chain certificate.
The web server needs to be configured with the proper chain or else end users connecting to your site may receive an error.