Ch13 - 13.02 - Managing a Public Key Infrastructure Flashcards
Certificate Life Cycle
- Request
- Certificate
- Renewal
- Suspension and Revocation
- Destruction
Certificate Life Cycle - 1. Request
The certificate life cycle starts when someone sends a request to the RA or the CA for a certificate. For example, suppose you wish to secure traffic to your intranet server, so you need a certificate. You send
a request to the RA, who then validates the request. This is normally done by connecting to a web site that is set up to accept certificate requests.
Certificate Life Cycle - 2. Certificate
Once the RA validates the request, it then passes the request over to the CA so that the CA can create the certificate. When the CA creates the certificate, it digitally signs the certificate so that applications know where the certificate came from, and it also assigns the certificate a validation period (typically one or two years).
Certificate Life Cycle - 3. Renewal
Before your certificate expires, you can have it renewed so that you can use the certificate for a longer period. Certificates are typically renewed for one- or two-year periods. If you do not renew a certificate and the validation period passes, then the certificate is unusable by applications, because they check this validation period setting before using a certificate.
Certificate Life Cycle - 4. Suspension and Revocation
If at any point the CA determines that
you have been fraudulent in your request for or use of a certificate, the CA may decide to suspend or even revoke your certificate. A suspended certificate is no longer usable, but it can be placed back into an active state easily. A revoked certificate is permanently unusable.
Certificate Life Cycle - 5. Destruction
As part of the certificate life cycle, you need to determine how the certificates and related keys will be destroyed after their validation time has expired. You want to ensure that hackers do not get their hands on any of the keys used in the PKI structure so that they cannot attempt to reuse them and impersonate a user or device.
Revoked Verification Methods: Certificate Revocation List (CRL)
As noted, your certificate can be revoked by the CA at any time if the CA determines that you were fraudulent in obtaining the certificate or there has been a security compromise related to your certificate.
The CA is responsible for creating the certificate revocation list (CRL), which is a list of certificates that have been revoked. The CRL is published to a web site at regular intervals, and applications download the CRL to verify that a certificate has not been revoked before using the certificate.
Revoked Verification Methods: Online Certificate Status Protocol (OCSP)
Another method that systems and applications can use to verify whether a certificate has been revoked relies on the Online Certificate Status Protocol (OCSP). OCSP is an Internet protocol that uses HTTP to communicate with the CA and check the status of a certificate. OCSP is designed as an alternative to the CRL. It should be noted that when using OCSP, the revocation status can be communicated to clients using a feature called stapling.
With stapling, the web site that contains the certificate polls the CA at regular intervals to check to see if the certificate has been revoked. The status of the certificate is then sent from the web server to any clients visiting the web site during the initial handshake. This prevents the clients from bogging down the CA to check the status of the certificate.
Recovery Agent
Followed by Key archiving»_space; Key Recovery Policy»_space; M of N Control
In PKI, the recovery agent is an individual, or group of individuals, within the organization who can decrypt private keys that are archived by the CA in an encrypted certificate. The recovery agent may need to recover a private key if an employee loses their private key or if an employee leaves the organization and the information they encrypted needs to be accessed. Archiving keys and implementing recovery agents that can decrypt those archived keys are important considerations when planning your PKI environment.
Key Escrow
Key escrow is the process of handing cryptography keys over to a third party who can use the cryptography keys to decrypt information within your organization at any point in time. For example, you may be required to give cryptography keys to a government agency or to law enforcement for an investigation.
The concept of key escrow is a controversial topic due to the obvious security risks of having keys that can decrypt information within your organization located outside the organization.
HTTP Public Key Pinning, or HPKP or Pinning
Another term to be familiar with as it relates to revoked certificates or certificate fraud is HTTP Public Key Pinning, or HPKP. Pinning allows web sites to publish a list of public key hashes that it potentially will use to secure the communication. When clients connect to the web server, the hashes are
communicated to the client so that the client knows which public keys it can trust. This helps in scenarios where the hacker compromises a CA and creates its own certificates.
