You have 3 free guides left 😟
Unlock your guides
Unlock Cram Mode
You have 3 free guides left 😟
Unlock your guides

9.3 Public Key Infrastructure (PKI) and Certificate Authorities

3 min readaugust 9, 2024

is the backbone of secure digital communication. It uses and digital certificates to establish trust between parties. Certificate Authorities (CAs) play a crucial role in issuing and managing these certificates.

PKI components include root CAs, intermediate CAs, and various trust models like hierarchical and . Digital certificates, following the standard, bind identities to public keys. The involves issuance, renewal, and revocation, with mechanisms like CRLs and OCSP for status checking.

Public Key Infrastructure (PKI) Components

Core Elements of PKI

Top images from around the web for Core Elements of PKI

  • Indistinguishable from magic: Splits and joins in PKI certificate hierarchies View original

    Is this image relevant?

  • Lab 05 - PKI and TLS [CS Open CourseWare] View original

    Is this image relevant?

  • Indistinguishable from magic: Splits and joins in PKI certificate hierarchies View original

    Is this image relevant?

1 of 3

Top images from around the web for Core Elements of PKI

  • Indistinguishable from magic: Splits and joins in PKI certificate hierarchies View original

    Is this image relevant?

  • Lab 05 - PKI and TLS [CS Open CourseWare] View original

    Is this image relevant?

  • Indistinguishable from magic: Splits and joins in PKI certificate hierarchies View original

    Is this image relevant?

1 of 3
  • Public Key Infrastructure (PKI) forms the foundation for secure communication and authentication in digital environments
  • PKI utilizes asymmetric cryptography to establish trust between parties through digital certificates
  • acts as a trusted third party responsible for issuing, managing, and verifying digital certificates
  • serves as the highest level of trust in the PKI hierarchy, self-signs its own certificate, and issues certificates to intermediate CAs
  • operates under the authority of the root CA, issues certificates to end-entities, and helps distribute the workload of certificate management

Trust Models in PKI

  • employs a top-down approach with the root CA at the apex, followed by intermediate CAs and end-entities
  • allows CAs from different hierarchies to establish trust relationships, enabling interoperability between separate PKI systems
  • Web of trust presents an alternative decentralized trust model where individuals vouch for the authenticity of others' public keys (PGP)
  • acts as a central point of trust between multiple PKI domains, facilitating trust relationships across organizations

Digital Certificates and Standards

Structure and Components of Digital Certificates

  • Digital certificates bind an entity's identity to its public key, ensuring secure communication and authentication
  • X.509 standard defines the format and content of digital certificates, ensuring interoperability across different systems
  • Certificate fields include version, serial number, signature algorithm, issuer, validity period, subject, public key, and extensions
  • extension allows multiple identities to be associated with a single certificate (domain names, IP addresses)

Certificate Issuance Process

  • initiates the certificate issuance process, containing the applicant's public key and identifying information
  • CA validates the information in the CSR, generates the certificate, and signs it with its private key
  • establishes a path of trust from the end-entity certificate to the root CA, validating the authenticity of each certificate in the chain
  • involves checking the signatures, validity periods, and revocation status of all certificates in the trust chain

Certificate Management

Certificate Lifecycle and Revocation

  • Certificate lifecycle encompasses issuance, renewal, expiration, and revocation processes
  • contains a list of certificates that have been revoked before their expiration date
  • CRL distribution points provide locations where up-to-date CRLs can be obtained (HTTP, LDAP)
  • offers real-time certificate status checking, addressing limitations of CRLs (size, timeliness)
  • OCSP stapling allows web servers to include their OCSP response in the TLS handshake, reducing latency and improving performance

Key Management and Security Practices

  • involves generating, storing, distributing, rotating, and destroying cryptographic keys throughout their lifecycle
  • provide secure storage and management of private keys, offering tamper-resistant protection
  • allows authorized parties to access encrypted data in specific circumstances (legal requirements, key recovery)
  • enhances security by associating a host with its expected certificate or public key, mitigating man-in-the-middle attacks
  • logs publicly record all issued SSL/TLS certificates, allowing for detection of misissued or malicious certificates
© 2024 Fiveable Inc. All rights reserved.
AP® and SAT® are trademarks registered by the College Board, which is not affiliated with, and does not endorse this website.
Fiveable
About Us
About FiveableBlogCareersTestimonialsCode of ConductTerms of UsePrivacy PolicyCCPA Privacy Policy
Resources
Cram ModeAP Score CalculatorsStudy GuidesPractice QuizzesGlossaryCrisis Text LineRequest a Feature
Stay Connected
© 2024 Fiveable Inc. All rights reserved.
AP® and SAT® are trademarks registered by the College Board, which is not affiliated with, and does not endorse this website.
About Us
About FiveableBlogCareersTestimonialsCode of ConductTerms of UsePrivacy PolicyCCPA Privacy Policy
Resources
Cram ModeAP Score CalculatorsStudy GuidesPractice QuizzesGlossaryCrisis Text LineRequest a Feature
© 2024 Fiveable Inc. All rights reserved.
AP® and SAT® are trademarks registered by the College Board, which is not affiliated with, and does not endorse this website.
Back
Glossary
Glossary
Next