Security+ SY0-601: 3.9: Public Key Infrastructure

Chapter 25: Public Key Infrastructure

Public Key Infrastructure (PKI)

Components

RA

CA

Third-party trust model

Certificate Authority

Intermediate CA

Revocation

CRL

OCSP: Online certificate status protocol

Suspension

CSR

https://www.globalsign.com/en/blog/what-is-a-certificate-signing-request-csr

X.509: the Certificate Standard

Parts of a certificate

Version Number (usually 1)

Subject (the certificate owner)

Public Key (the whole point)

Issuer (the CA, like Verisign)

Serial Number

Validity: To and From Dates

Certificate Usage (signing, email, encryption)

Signature Algorithms (of the hashing and digital signature algos)

Extension (custom data)

Public Key

Private Key

OID

Online and Offline CAs

Stapling

https://en.wikipedia.org/wiki/OCSP_stapling

This refers to “stapling” two documents together, like both a website’s certificate and a signed current OCSP report verifying that certificate.

Pinning (obsolete)

https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

This refers to making a fixed reference of one certificate to one entity (website) – even if that entity (website) moves from one physical host to another.

Trust Models

Heirarchical

Peer to peer

Hybrid

Key Escrow

See p. 474 of our text. Note that you might (should) have different keys (certificates) for different purposes (eg. signing vs. encrypting). Encryption keys SHOULD be held in escrow (in enterprise situations; Signing keys should NEVER be held in escrow. (No one has any legal reason to use my keys to “sign” an object – after I am dead.)

Certificate Chaining

https://docs.microsoft.com/en-us/windows/win32/seccrypto/certificate-chains

Types of Certs

End-entity certs

CA certs

Cross-certification certs

Policy certs

Wildcard certs

Code-signing certs

Self-signed certs

Machine / Computer

Email

User

Root

Domain validation

Extended validation

Certificate Formats

.der

.pem

.cer / .crt

.key

.pfx

.p12

.p7b

***

 

 

Certificate Issues

Broken Chain of Trust