Public Key Infrastructure Flashcards
What is PKI?
Public Key Infrastructure.
This is the process of managing digital certificates.
This is a big big endeavor with need for lots of planning.
This also refers to the binding of public keys to people or devices. This is something that is centrally located in the certificate authority(CA).
Since the CA becomes the core method of trust for all of these signatures and all of the trust related to that it becomes a very important part of your infrastructure.
What is the key management lifecycle in PKI?
We usually create these keys with an expiration date so once the key expires the process needs to start over again.
Key generation - keys need to be created with the requested strength and with the proper cipher
Certificate generation - allocating keys to users
Distribution - making the key available to the user
Storage - securely store and protect against unauthorized use
Revocation - Manage keys that have been compromised
What is a digital certificate?
A public key certificate.
A public key is combined with a digital signature.
Usually the digital signature is from a certificate authority.
These digital certificates may also include other details about the key holder.
This is all part of adding additional trust.
What is a commercial certificate authority and how does it differ from a CA in your personal enterprise network?
Commercial CAs are built into your browser by default and are for more large scale certificate use than that of the ones inside your company. These can be for the purpose of an entire website.
Commercial CAs allow you to purchase a web site certificate for your web site and make it trusted by everyone’s browser.
This would happen by creating a key pair on your machine, and then providing a public key to the CA to be signed.
A number of steps would happen before they signed it to make sure you are who you say you are and your website is safe, and then they would sign your certificate.
This request for a CA to sign your certificate is called a “certificate signing request” or a “CSR”
What is a private certificate authority?
Your company is their own CA, you build it in house for your devices and users to trust each other’s communications.
Your devices must trust the internal CA.
This is needed for medium to large organizations.
What is the difference between having a single CA in your organization and a hierarchy of CAs?
In a single CA environment there is just one CA that everyone receives their certificates from.
In a Hierarchical environment there are many different CAs all working together.
A single root CA issues certs to Intermediate CAs
Those intermediate CAs give certs to Leaf CAs.
This distributes the certificate management load and also makes it easier to deal with if a particular CA is compromised and you need to revoke all of the certificates it signed.
You can remove a Leaf CA and the intermediate and root CA will still remain valid.
Root CA—>Intermediate CA—>Leaf CA
What is registration authority? (RA)
When an entity requests a certificate it needs to be verified (think big picture like web servers for websites, not an internal network). The RA(registration authority) will be responsible for identifying and authenticating the requester. They are also responsible for revoking certificates and renewing certificates.
Inside of a certificate what is the common name? (CN)
This is the FQDN for the certificate.
If you’re connecting to a site and the address you typed in does not match the FQDN on the certificate you will get a message in your browser saying “your connection is not private, etc”
You can also add alternative names to it so that you could support “google.com” and “www.google.com” etc.
This is called the “Subject alternate name” attribute.
What is a Certificate revocation list? (CRL)
Certificate revocation list.
This is a giant list of revoked certificates that is stored at the CA.
Can contain many revocations in one large file for that one certificate’s history.
When downloading a large CRL file sometimes it isn’t very practical. What is a more efficient way of doing this?
OCSP (Online Certificate Status Protocol)
This is something built into our browser that can perform a single check just for this certificate to see if that certificate may have been associated with something revoked.
Messages are usually sent to an OCSP responder via HTTP which usually exists at the CA.
What are domain validation certificates? (DV)
These allow you to encrypt communication to a web server.
We refer to these by a lock next to your address bar.
This provides trust that the owner of this certificate has some control over a DNS domain.
What are Exntended Validation certificates? (EV)
This proves that additional checks have verified the certificate owners identity.
Browsers used to show a big green name next to the address bar for these, but now they all show just the lock.
What is a Subject Alternative Name certificate? (SAN)
This is an extension to an X.509 certificate(normal certificate).
Lists additional identification information and allows a certificate to support many different domains.
These can use a wildcard in them like *
An example of this would be SAN certificate for *.professormesser.com which would apply to “www.professormesser.com” “professormesser.com” “ftp.professormesser.com” etc
What is a code signing certificate?
This is used by developers to provide a level of trust that the program that you are installing is exactly the same executable as the one that was distributed by the manufacturer, and has not been modified in any way.
What is a Root Certificate?
If you’re building a public key infrastructure (PKI) you’re starting with a CA. And that certificate needs a starting point.
That starting point is a root certificate.
All of the certificates and additional CA certificates are starting with this root certificate.
Certificates will be signed first by this root CA and then signed by everything downstream from there
(intermediate CAs, Leaf CAs).
If someone were to gain access to this root certificate they will be able to create any type of certificate for your organization, so there is a LOT of emphasis put on the security of this certificate.
What are self signed certificates?
These are internal certificates that don’t need to be signed by a public CA, and are only used by your company.
No need to purchase trust for devices that already trust you.
You need to build your own internal CA for this to function and issue your own certificates signed by your own CA.
This also means that you need to install the CA certificate/trusted-chain on all devices in your network, and they will now trust any certificates signed by your internal CA.
What are machine and computer certificates?
These are a certificate built for a specific piece of software to provide trust during the authentication process.
A good example of this would be someone accessing your internal network remotely from the VPN tunnel and before it gains access to the network the VPN provides an additional set of authentication to check for that certificate. And if that machine validates properly, we know it is trusted by the rest of the organization.
How to email certificates work and what do they enable?
They allow you to use cryptography in an email platform.
If you want to encrypt an outbound email you will use the recipients public key to encrypt.
If you decrypt an email you are receiving you use your private key to decrypt.
These email certificates can also be used for digital signatures. So that the person receiving your email can validate that everything in your email is exactly how it was when it was sent.
What are user certificates?
These are a powerful electronic ID cards associating a certificate with a user.
You can attach devices via USB that will check for a certificate and limit access if you don’t have it.
What is the standard structure of certificates called?
X.509
The structure of the certification is standardized.
the format of the actual certificate file can take many different forms.
There are many different file formats for certificates though.
Luckily there are programs like openssl that can read different formats or even convert between different formats if we need to.
What is DER format? (distinguished encoding rules)
This is a format designed to transfer syntax for data structures and it is a very specific encoding format.
It also happens to be perfect for an X.509 certificate.
It is a binary format which means we can’t bring it up in a text editor and read anything that might be in there, but it is a very common format that you will see when deploying things using java.
What is PEM format? (privacy enhanced mail)
This is a BASE64 encoded DER certificate.
Generally this is the format provided by CAs and is supported by many different platforms.
Allows you to receive a certificate in ascii format encoded in base64 and then decode it from that, instead of sending it as an attachment which may be modified.
What is PKCS#12 format? (public key cryptography standards #12)
Usually a .p12 or .pfx file extension.
This is what you want to use if you are trying to transfer multiple certificates at once.
Used interchangeably with the name “PFX” which is because this is an extension of Microsoft’s PFX format.
This is a container format, so you have a standard format that you can put many certificates inside.
Often used to transfer a private and public key pair.
The container can be password protected.
What is CER format? (certificate)
Primarily a file extension in windows. (“.CER”)
If you’re using a windows machine you’re probably using the CER format
Provides flexibility to choose between encoding as the binary DER format or the ASCII PEM format.
This is usually just containing a public key because if you were transmitting a private key you would want to transfer it in the .pfx format with a password.
