Thursday, August 10, 2017

Majorbacon's quick hitlist of the Comptia Security+ PKI Terms

Public Key Infrastructure has a lot of terms and acronyms that get thrown around. Here is a rundown on some of the most common terms to know and love.


  • PKI: A PKI can be described as a set of technologies, procedures and policies for propagating trust from where it initially exists to where it is needed for authentication in online environments. 
  • CA: A Certificate authority hands out certificates to consumers to provide a central point of trusted authenticity
  • Intermediate CA: A CA that receives its authority from a Root CA and then provides certs of authority to an issuing CA
  • CRL: Certificate Revocation List – the list of certificates that should no longer be accepted because they have been revoked before expiration, usually because a system is no longer in service or the certificate has been compromised. These lists can be published over HTTP or other protocols
  • OCSP – Online Certificate Status Protocol – an alternative to downloading the entire CRL, a protocol to validate a particular certificate from the client using HTTP (usually)
  • CSR – A Certificate Signing Request is sent to apply for a cert around a particular key
  • Certificate – A file used to provide validation of public keys. They indicate when not to use these keys because of expiration, location, and use type. They are digitally signed by the issuing CA, with signature links up to the Root CA. Clients will use the public key once they have validated the CA signature is trusted and the key is in a trusted context.
  • Public key – Freely disseminated key sent with certificates and used to Encrypt data and Validate signatures of a matching private key
  • Private key – Closely held key used to Sign and Decrypt content encrypted with a matching public key
  • Object identifiers (OID) – a value attached to a certificate at creation that can be used in conjunction with policies to determine client behavior. An organization obtains a root OID and then creates sub OIDs


  • Online vs. offline CA – Issuing CAs need to respond to requests and should be online. Root CAs in a hierarchy are rarely needed (just to create or renew subordinate CAs) and are more defensible if taken offline.
  • Stapling – OCSP Stapling – instead of having the client perform the OCSP request the Cert Presenter delivers the time stamped OCSP response signed by the CA
  • Pinning – Pre-associating a host in development or on first contact. Cert or Public Key
  • Trust model – Types of trust methodologies: PGP, Single and Multiple Hierarchic PKIs, Discressionary Direct Trust, DNSSEC
  • Key escrow – The idea of a recovery agent – that a third party could decrypt data if needed. 
  • Certificate chaining – Root-Intermediate-Issuing CA-Issued Cert. Trust the Root, trust all the certs chained from it.

Types of certificates

  • Wildcard – uses the * - can refer to many domain names –useful for vanity URL type sites like SharePoint Apps
  • SAN – Subject Alternative Name – explicit list of trusted names, IP addresses, Exchange 2007 started using it
  • Code signing – Certificate’s Private key encrypts a hash of the code data 
  • Self-signed – cert without a PKI – used for many types of software’s initial installation – not trustworthy.
  • Machine/computer – Validate the computer, allows computer services to encrypt
  • Email – used for digitally signing email – hash of email is encrypted with private key
  • User – used to validate user credentials and/or encrypt users’s data
  • Root – used to provide authenticity at the top of cert chain
  • Domain validation – DNSSEC cert used to validate IP info
  • Extended validation – Validates that the site is operated by the LEGAL Entity

Certificate formats

  • DER: Single binary unencrypted binary copy of a PEM file the x.509 cert
  • PEM –ASCII Form of an issued certificate(s)  –begin-- encrypted binary copy of the x.509 cert
  • PFX – certificate with private key (possible protected) – PKCS#12 archive, possibly with chain
  • CER / CRT – Single unencrypted binary copy of the x.509 cert
  • P12 – Binary format for holding certificate AND private stores (aka PKCS#12)
  • P7B – ASCII Text format for holding only public certificate information

No comments: