Certificate Management
Key escrow
A method in dealing with key escrow involves the storage of key information with a 3rd party, referred to as a key escrow agency
How are certificates revoked?
Certificate revocation is handled either through a Certificate Revocation List (CRL) or by using the Online Certificate Status Protocol (OCSP)
CSR
Certificate signing Request
Can certificates be suspended?
Certificates can be suspended Ensures the key is unusable for a period of time Suspend rather than expire certificates to make them temporarily invalid
key recovery
Information that is stored using older keys will be inaccessile using new key Key recovery allows you to acces ifnormation that is encrypted with older keys.
Explain CA
Manage certificate store: - creates, signs, distributes, stores and/or revokes keys Authenticates the certificates it issues by signing them with their asymmetric private key CA server architecture is typically deployed within a Singe Aurity trust model or Hierarchical trust model
Explain RA
Middleman between subscribers and CA Can distribute keys, accept registrations for the CA, and validate identities Does NOT issue certificates on their own
Explain CSR
The formal request sent fro a client to a CA asking for a certificate to be generated. CSR includes: - public key to be signed - distinguished name - business name - email address - location information
Certificate Renewal
Unexpired certificates can be renewed close to the end of expiring certificate's lifetime Allows teh same certificate to be used past the original expiration time Not a good practice
What is the standard PKI is based on?
X.509 Standard
recovery agent
someone wtih the organization with authroity to remove keys from a repository
Explain certificate revocation
the process of revoking a certificate before it expires Reasons for revocation: - key theft - key loss - illegal activity - significant changes in the organization ****Not revoked due to normal expiration!!!
RA
Registration Authority
What is included in a Digital Certificate?
- The owner of the certificate (subject) - The subject's public key - The certificate issuer's name (CA) - The certificate issuer's digital signature (CA's Digital Signature) - Periodicty: Validd from when to when - Serial Number - Certificate policy
Root CA
A trusted root CA is a CA server that creates its own keys and digitally signs its own keys. It also creates and signs keys for Intermediate CA servers. Intermediate CA server - creates keys for the local leaf objects
Explain PKI
A two-key, asymmetric system with 4 key components: o Certificate Authority - CA o Registration Authority - RA o RSA o Digital ceritificates Follows X.509 standard A framework for creating, managing, issuing, distributing, and storing asymmetric private keys and X.509 Digital Certificates
CA
Certificate Authority
CRL
Certificate Revocation List A list housed by the CA that indetifies revoked certificates. .crl file can be reviewed manually or queried using OCSP Expired certificates are NOT on the CRL
Certificate Destruction
Establish policies for destroying old keys when a key or certificate is no longer useful When destroyed, notify the CA so the CRL and OCSP servers can be updated Deregistration should occur when a key is destroyed, especially if the key owner no longer exists
Certificate expiration
If a certificate expires, a new certificate must be issued Expired certificates are NOT added to the CRL
OCSP
Online Certificate Status Protocol Allows for online checking of certificate validity, by sending request to a website containing information on valid certificates. Checks for revoked certificates Queries a CA or RA that maintains a list of expired certificates Server sends a response with a status of: - Valid - Suspended - Revoked
PKI
Public Key Infrastructure
M of N control
To ensure that no single individual could compromise the security system Requries 2 or more recovery agents There msut be multiple key escrow recovery agents (N) in any givien environment Min number of agents (M) must work together to recover a key