How PKI Works
Introduction
1. Pki is infrastructure to create, distribute, revoke digital certificates
2. Digital certificate links public key to user or machine
3. Public Key and Private key - Data encrypted with one can only be decrypted with otherPKI Infrastructure Components
PKI is made up of following
Certificate Authority ○ Responsible for issuing digital certificates that will validate servers identity
Registration Authority a. Verifies identity of client or user requesting digital certificate b. CA can also act as an RA
Certificate Database a. Store certificates and related metadata including its validity
Cryptographic Directory a. Index and stores cryptographic keys
Certificate Management System a. Responsible for governing access and distribution of certificate
Certificate Policy a. A policy outlining procedures of PKI b. These can be used by outsiders to determine trustworthiness of CA
Chain of Trust Validation
- Public key is requested by client, private key is calculated during SSL handshake
- Microsoft and Apple publish list of trusted root CA
- Online CA issues certificates using intermediate CA
- Microsoft Trusted Root Program
○ Root CA listed, Undergo regular and meeting specific security standards
○ Root CA
§ Fully trusted source for validation and revocation of certs
§ Root CA use offline HSM to store private key
§ Root CA is responsible for establishing trust in intermediate CA
§ Eg DigiCert
○ Intermediate CA
§ Establish trust in online CA
§ private key for intermediate ca and online can is stored in online HSM
§ Eg DigiCert Intermediate CA
○ Online CA
§ Responsible for issuing cert for use by applications and user
§ Eg Lets Encrypt
○ Certificate Revocation List / Online Cert Status Protocol
§ used by recipient to confirm chain of trust and ensure certificate is not expired or is compromised
- On windows “CTL Updater” is responsible for updating list of root CALast updated