MODULE 6

MANAGING CERTIFICATES

SUBTOPIC 1

Certificate Authority
Certificate Authority (CA) (or Certification Authority) is an entity that issues digital certificates.
The CA is the authority responsible for issuing SSL certificates publicly trusted by web browsers.

Digital Certificates
The digital certificate is an electronic document that contains an identity such as a user or organization
and a corresponding public key.

Certificate Authentication
A certificate-based authentication scheme is a scheme that uses a public key cryptography and digital
certificate to authenticate a user.

Certificate authentication is the use of a Digital Certificate to identify a user, machine, or device before
granting access to a resource, network, application, etc.

PKI - Public Key Infrastructure

A public key infrastructure (PKI) is a system consisting of hardware, software, policies, and procedures
that create, manage, distribute, use, store, and revoke digital certificates. Public Key Infrastructure (PKI)
is that it uses a pair of keys to achieve the underlying security service. The key pair comprises of private
key and public key.

Key Management
Key management refers to management of cryptographic keys in a cryptosystem

PKI Components
Public key
Private key
Certificate Authority
Certificate Store
Certificate Revocation List
Hardware Security Module

Root CA
Root CA: A Root CA is the topmost Certificate Authority (CA) in a Certificate Authority (CA) hierarchy. Each

Certificate Authority (CA) hierarchy begins with the Root CA, and multiple CAs branch from this Root CA
in a parent-child relationship. All child CAs must be certified by the corresponding parent CA back to the
Root CA. The Root CA is kept in a secure area and it is usually a stand-alone offline CA (to make it topmost
secure Certificate Authority (CA). The root CA provides certificates for intermediate CAs. The certificates
can be revoked if they are compromised.
Intermediate CAs: An intermediate Certificate Authority (CA) is a CA that is subordinate to another CA
(Root CA or another intermediate CA) and issues certificates to other CAs in the CA hierarchy.
Intermediate CAs are usually stand-alone offline CAs like root CAs.

Issuing CAs: Issuing CAs are used to provide certificates to users, computers, and other services. There can
be multiple issuing CAs, and one issuing CA can be used for generating computer certificates and another
can be used for generating user certificates.

Public and Private Roots

When to use Public CAs? When we provide services for the general public, we use certificates signed by
a “trusted” third-party.

When to use a Private CAs? The situation changes completely when private services are provided, which
are not for the general public.

Offline Root CAs

The root CA remains offline.
Subordinate CAs will issue certificates.
All updates are made only to subordinate CAs.

Offline root CAs can issue certificates to removable media devices (USB drive, CD/DVD) and then physically
transported to the subordinate CAs that need the certificate in order to perform their tasks.

A certificate enrollment procedure begins when a user files a certificate enrollment request with a CA.

Certificate Enrollment Process

Certificate enrollment refers to the process by which a user requests a digital certificate.
They must submit the request with a certification authority (CA), an entity which issues and manages
digital certificate for use within the public key infrastructure (PKI).
Users can request a digital certificate from a CA manually or automatically without any interaction on their
part.

SUBTOPIC 2
Certificate Life Cycle
Longer life cycles give attackers an advantage.
Shorter life cycles allow for renewal of more secure certificates.

Certificate Lifecycle
The lifecycle of a certificate can be broken into a handful of distinct steps.
• Certificate Enrollment
• Certificate Issuance
• Certificate Validation
• Certificate Revocation
• Certificate Renewal
SSL Enrollment Process

Certificate Trust Chain

You can trace the chain from the client’s certificate all the way back to a single root CA, and every chain
ends in with a person (or company) from which all the trust is ultimately derived.

Certificate Revocation
Private key compromised
Fraudulent certificate
Holder no longer trusted

CRL - Certificate revocation list. A certificate revocation list (CRL) is a list of certificates (or more
specifically, a list of serial numbers for certificates) that have been revoked or are no longer valid, and
therefore should not be relied upon.

OCSP - Online Certificate Status Protocol

• Alternative to CRL
• HTTP-based
• Checks specific certificate based on request
• Sends response with certificate’s status
• Lower overhead than CRL
• Lacks encryption

Certificate Renewal
Certificates expire and need to be renewed.
Renewal process upholds security and accessibility.

Private Key Protection Methods

• Back up to removable media
• Delete from insecure media
• Require restoration password
• Never share
• Never transmit on network
• Use key escrow

Key Escrow
Alternative to key backup. Allows one or more trusted third parties access to the keys under predefined
conditions. Third party is called the key escrow agent.

Private Key Restoration Methods

Key escrow: One or more escrow agents can restore

Key backup: Restore from backup media

Private Key Replacement Process
1. Recover key
2. Decrypt data
3. Destroy original key
4. Obtain new key pair
5. Encrypt data with new key