3.9 Given a scenario, implement public key infrastructure. Flashcards
HPKP
HTTP Public Key Pinning (HPKP) is a method of trusting digital certificates to bypass the CA hierarchy and chain of trust and minimize MitM attacks. The client stores a public key that belongs (or is pinned) to a web server. If visiting again and the key does not exist in the certificate chain, a warning is presented.
CRL
A Certificate Revocation List (CRL) is a list of certificates revoked before their expiration date. It does not prevent a Man-in-the-Middle (MitM) attack.
CSR
A Certificate Signing Request (CSR) is a Base64 ASCII file sent by a subject to a CA to get a certificat
OCSP
Online Certificate Status Protocol (OCSP) checks the status of an individual certificate rather than the whole CRL.
.P12
The Public Key Cryptography Standards (PKCS) #12 or .P12 format allows the export of the private key with the certificate. This would be used either to transfer a private key to a host that could not generate its own keys, or to back up/archive a private key.
.PFX
The .PFX extension uses the same binay format as .P12 and is commonly used in Windows. MacOS and iOS commonly use the .P12 extension.
A PFX, .pfx, or .p12 extension allows the export of a certificate along with its private key and is password protected. This is used to archive or transport a private key.
P7B
The P7B format is a means of bundling multiple certificates in the same file, often often used to deliver a chain of certificates. P7B files do not contain the private key.
PKCS #7
PKCS #7 is the P7B format and is represented in Linux as a .PEM extension.
What is a wildcard certificate used for?
A wildcard certificate is issued to the parent domain and will be accepted as valid for all subdomains because all are listed in one. These will reduce work to produce individual certificates for each.
Certificate Pinning
Pinning refers to several techniques to ensure it is inspecting the proper certificate when a client inspects the certificate presented by a server or a code-signed application. An example of this is submitting multiple public keys to an HTTP browser.
domain validation
Domain Validation (DV) is proving the ownership of a domain, which may be proved by responding to an email to the authorized point of contact. This process is highly vulnerable to compromise.
SAN
Subject Alternative Name (SAN) is an extension field on a web server certificate using multiple subdomain labels to support the identification of the server.
