Public Key Infrastructure (PKI) is a vital management tool for the use of asymmetric cryptography and digital certificates. A PKI involves components (e.g., Certification Authority, Intermediate Certificate, Certification Revocation List, and so on), PKI concepts (e.g., Stapling, Pinning, Trust Models, and so forth), certificate types (e.g., Wildcards, SAN, Code Signing, Email, Root, and more), and certificate formats (e.g., DER, PEM, PFX, P12, etc). The following sections will elaborate on these concepts in greater details.
What are Essential PKI Components for Security+?
The Security+ aspirants must be mindful of the following important PKI components.
Certificate Authority (CA):
A Certificate Authority (CA) is the third-party trusted agency that issues digital certificates for verifying entities on the internet. Examples of the best certification authorities today include Symantec, VeriSign, GeoTrust, Comodo, and Digicert. The CA can be either an external to the company, such as a Commercial CA that charges for its service, or an Internal CA to the company, one that facilitates a service to its own workforce.
Generally, CA is responsible for the following duties:
- Generating, issuing, and distributing the public key certificates
- Distributing CA certificates
- Generating and publishing certificate status information
- Allowing subscribers to request for revocation
- Having the ability to revoke public key certificates
- Maintaining availability, continuity, and security of certificate issuance signing functions
An Intermediate CA is a subordinate Certificate Authority issued by the trusted Root to sign digital keys. Intermediate CAs help the Root CA in distributing the workload of issuing and verifying the certificates.
Certificate Revocation List (CRL):
A CRL is a list of the serial numbers of digital certificates whose current status has been revoked. Various Certification Authorities maintain an online CRL that can be queried by inserting a certificate serial number. Additionally, a local (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Fakhar Imam. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/2armHCFNQo4/