Following are some of the most important points related to Public Key Infrastructure (PKI) for passing exams and for general understanding.
-
Public Key Infrastructure (PKI) is a set of tools, protocols, processes, polices etc. that can help us to do secure communication using public key encryption.
-
Digital certificates, also called as public key certificates or identity certificates, is an electronic document to help us prove the ownership of a public key. PKI helps us in creating, managing, distributing, storing, using, and revoking digital certificates.
-
X.509 is a standard within PKI that defines the format and distribution procedures of public key certificates. An X.509 contains the public key along with the identity of its owner such as an individual, hostname or organization, and is signed either by a certificate authority or is self-signed.
-
PKI also consist of the Public Key Cryptography Standards (PKCS), a set of standards created by RSA and other industry leaders, mostly around the cryptography techniques they had patents to.
-
An X.509 certificate generally has the following fields (may vary a bit especially based on the exact version of the X.509 we use):
-
Version of the certificate.
-
Serial number, which is an unique identifier for the certificate.
-
Signature, which is the algorithm used to sign the certificate.
-
Issuer, which is the issuer of the certificate.
-
Validity, which specifies until when the certificate is valid.
-
Subject name, which is the name of the certificate owner, with or without a Subject Alternate Name (SAN) to specify additional host names.
-
Public Key, which is the actual public key.
-
Issuer Unique ID, which is an unique ID for the issuer.
-
Subject Unique ID, which is an unique ID for the owner.
-
-
There are different types of digital certificates including, but are not limited to:
-
Secure Socket Layer (SSL) certificates of server certificates, to identify a server or computer.
-
Code signing certificate or object signing certificate, to verify ownership of code or object.
-
Domain validation certificate, to validate a domain.
-
Personal certificates, to verify a user identity (e.g. for using email).
-
Organization certificates, to verify an organization's identity including the domain.
-
Extended validation certificate, usually to verify an organization, domain and may include additional vetting.
-
Trusted or Intermediate certificates, that identifies root and intermediate certificate authorities.
-
-
A certificate authority or certification authority (CA) is a trusted entity that signs and issues digital certificates.
-
A certificate can be also signed by the person creating it, in which case it is called a self-signed certificate. Self-signed certificates have no additional expenses but has cons including that it cannot be revoked and will usually result in warnings by browsers. They are generally used for development and testing.
-
Digital certificates are made use of by browsers with HTTPS. If the certificate is not issued by a trusted CA, you will get a warning about the trustworthiness of the certificate and in most cases you need to explicitly say that you trust it and is read to proceed using it.
-
There are many popular trust models to help us trust other certificates, including but not limited to:
-
Web of Trust, a trust model without a central authority where users sign each others' certificates creating a chain of trust.
-
A central third party certificate authority (CA) that issues all certificates.
-
Hierarchical model where a root CA issues certificates to one or more levels of intermediate CAs and these intermediate CAs who has inherited trust will then issue certificates for end users.
-
-
A Certificate Signing Request (CSR) is a request made for certificate signing. We provide a CSR to the CA or intermediate CAs. In this recipe, AWS created the CSR for us and we signed it using a self-signed issuing certificate.
-
A certificate will be expired if not renewed by owner within the expiry date.
-
A certificate may be permanently revoked. A certificate also may be temporarily suspended until some problem is solved.
-
A Certificate Revocation List (CRL) is a list maintained by CAs with the list of revoked certificates, which is sent out by CA at regular intervals. This can also be pulled and verified.
-
Online Certificate Status Protocol (OCSP) is a more real-time alternative to CRLs to check the status of a certificate.
- heartin's blog
- Log in or register to post comments
Recent comments