Objective 3.9 - PKI

Key Management (PKI)

Within PKI refers to all the steps taken to manage public and private keys used within the PKI. This includes keeping private keys private, distributing public keys in certificates, and revoking certificates when keys are compromised

Certificate Authority (CA)

A trusted third-party agency that is responsible for issuing digital certificates.

Intermediate CA

Subordinate organizations or entities to which CAs delegate the day-to-day issuance of certificates on behalf of the CA.

Registration Authority (RA)

A subordinate entity designed to handle specific CA tasks such as processing certificate requests and authenticating users.

Certificate Revocation List (CRL)

An online list of digital certificates that the certificate authority has revoked

Certificate attributes

Fields in an X.509 digital certificate that are used when parties negotiate a secure connection.

Online Certificate Status Protocol (OCSP)

A protocol that allows you to determine the revocation status of a digital certificate using its serial number

Certificate Signing Request (CSR)

A specially formatted encrypted message that validates the information the CA requires to issue a digital certificate.

Common Name (CN)

An X500 attribute expressing a host or user name, also used as the subject identifier for a digital certificate.

Subject Alternative Name (SAN)

Allows a certificate owner to specify additional domains and IP addresses to be supported

wildcard certificate

A certificate that can be used for multiple domains with the same root domain. It starts with an asterisk.

Subject Alternative Name Certificate

Used for multiple domains that have different names but are owned by the same organization. For example, Google uses SANS of .google.com, .android.com, *.cloud.google.com, and more. It is often used for systems with the same based domain name but a different top level domain, for instance google.com and google.net.

Code Signing Certificate

Digital certificate issued (typically by a trusted CA.

Used for downloaded code, macros, object, etc.

self-signed certificate

A digital certificate that has been signed by the entity that issued it, rather than by a CA.

Machine/Computer Certificate

Used to authenticate a machine/computer into an Active Directory (AD) environment.

Email Certificate

A type of certificate that is used to encrypt email and digitally sign email.

User Certificate

A credential issued by the Authentication Service that supplies valid authentication credentials. Whenever the client requires access to a new network resource, it must prevent its TGT to the Key Distribution Center

root certificate

the first certificate created by the CA that identifies it

Domain Validation Certificate

Server security certificate that provides the lowest level of validation available.

Owner of the certificate has some control over a DNS domain.

Extended Validation Certificate

Increased security over domain validation certificates due to an enhanced validation process, which requires human validation ("high-assurance")

Distinguished Encoding Rules (DER)

Restricted version of the BER which allows one encoding type and has more restrictive rules for length, character strings, and how elements of a digital certificate are stored in X.509

Privacy Enhanced Mail (PEM)

A standard proposed by the Internet Engineering Task Force (IETF) that uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures.

Personal Information Exchange (PFX)

An X.509 file format that is the preferred file format for creating certificates to authenticate applications or websites.

Canonical Encoding Rules (CER)

A base format for PKI certificates. They are binary encoded files.

P12

A common format for PKI certificates. They are CER-based (binary) and often hold certificates with the private key. They are commonly encrypted.

P7B

A common format for PKI certificates. They are DER-based (ASCII) and commonly used to share public keys.

Online vs. Offline CA

Online: An internal online CA is always up and running so that people in the company can request a certificate at any time of the day or night. This would NOT be the case in a government or top-security environment

Offline: An offline CA is for a military or secure environment where clearance and vetting must be completed before someone can be issues with a certificate. The CA is kept offline and locked up when it is not being used. It is switched off so that it cannot issue new certificates

Stapling

The certificate presenter (such as a web server) obtains a timestamped OCSP response from the CA. Before sending it, the CA signs it with a digital signature. The certificate presenter then appends a timestamped OCSP response to the certificate during the TLS handshake process.

Pinning

A security mechanism used by some web sites to prevent web site impersonation. Web sites provide clients with a list of public key hashes. Clients store the list and use it to validate the web site.

Trust Model

The use of a trusted third party to verify the trustworthiness of a digital certificate.

key escrow

a control procedure whereby a trusted party is given a copy of a key used to encrypt database data

Certificate chaining

A process that combines all certificates within a trust model. It includes all the certificates in the trust chain from the root CA down to the certificate issued to the end user.