Professional Documents
Culture Documents
Managing Certificates
Managing Certificates
Managing Certificates
MANAGING CERTIFICATES
SUBTOPIC 1
Certificate Authority
Certificate Authority (CA) (or Certification Authority) is an entity that issues digital certificates.
The CA is the authority responsible for issuing SSL certificates publicly trusted by web browsers.
Digital Certificates
The digital certificate is an electronic document that contains an identity such as a user or organization
and a corresponding public key.
Certificate Authentication
A certificate-based authentication scheme is a scheme that uses a public key cryptography and digital
certificate to authenticate a user.
Certificate authentication is the use of a Digital Certificate to identify a user, machine, or device before
granting access to a resource, network, application, etc.
Key Management
Key management refers to management of cryptographic keys in a cryptosystem
PKI Components
Public key
Private key
Certificate Authority
Certificate Store
Certificate Revocation List
Hardware Security Module
Root CA
Root CA: A Root CA is the topmost Certificate Authority (CA) in a Certificate Authority (CA) hierarchy. Each
Certificate Authority (CA) hierarchy begins with the Root CA, and multiple CAs branch from this Root CA
in a parent-child relationship. All child CAs must be certified by the corresponding parent CA back to the
Root CA. The Root CA is kept in a secure area and it is usually a stand-alone offline CA (to make it topmost
secure Certificate Authority (CA). The root CA provides certificates for intermediate CAs. The certificates
can be revoked if they are compromised.
Intermediate CAs: An intermediate Certificate Authority (CA) is a CA that is subordinate to another CA
(Root CA or another intermediate CA) and issues certificates to other CAs in the CA hierarchy.
Intermediate CAs are usually stand-alone offline CAs like root CAs.
Issuing CAs: Issuing CAs are used to provide certificates to users, computers, and other services. There can
be multiple issuing CAs, and one issuing CA can be used for generating computer certificates and another
can be used for generating user certificates.
When to use a Private CAs? The situation changes completely when private services are provided, which
are not for the general public.
Offline root CAs can issue certificates to removable media devices (USB drive, CD/DVD) and then physically
transported to the subordinate CAs that need the certificate in order to perform their tasks.
A certificate enrollment procedure begins when a user files a certificate enrollment request with a CA.
SUBTOPIC 2
Certificate Life Cycle
Longer life cycles give attackers an advantage.
Shorter life cycles allow for renewal of more secure certificates.
Certificate Lifecycle
The lifecycle of a certificate can be broken into a handful of distinct steps.
• Certificate Enrollment
• Certificate Issuance
• Certificate Validation
• Certificate Revocation
• Certificate Renewal
SSL Enrollment Process
Certificate Revocation
Private key compromised
Fraudulent certificate
Holder no longer trusted
CRL - Certificate revocation list. A certificate revocation list (CRL) is a list of certificates (or more
specifically, a list of serial numbers for certificates) that have been revoked or are no longer valid, and
therefore should not be relied upon.
Certificate Renewal
Certificates expire and need to be renewed.
Renewal process upholds security and accessibility.
Key Escrow
Alternative to key backup. Allows one or more trusted third parties access to the keys under predefined
conditions. Third party is called the key escrow agent.