PKI (Public Key Infrastructure) is a set of policies, procedures, and technologies that enable secure management of public keys and digital certificates.

What is PKI?

PKI provides a framework for creating, distributing, validating, and revoking digital certificates, establishing trust in digital environments.

Main Components

Certificate Authority (CA)

  • Root CA: Root trust authority
  • Intermediate CA: Intermediate authorities
  • Issuing CA: Issuing authorities
  • Subordinate CA: Subordinate authorities

Digital Certificates

  • X.509: Certificate standard
  • Public key: Contained in certificate
  • Identity: Holder information
  • Validity: Validity period

Certificate Revocation List (CRL)

  • CRL: List of revoked certificates
  • OCSP: Online verification protocol
  • Delta CRL: Incremental list
  • CRL Distribution Points: Distribution points

Certificate Repository

  • LDAP: Certificate directory
  • HTTP: Web download
  • FTP: File transfer
  • Database: Centralized storage

PKI Architecture

Trust Hierarchy

Root CA
├── Intermediate CA 1
│   ├── End Entity Cert 1
│   └── End Entity Cert 2
└── Intermediate CA 2
    ├── End Entity Cert 3
    └── End Entity Cert 4

CA Types

  • Root CA: Highest authority
  • Policy CA: Defines policies
  • Issuing CA: Issues certificates
  • Cross-certified CA: Cross-certification

Certificate Types

By Purpose

  • SSL/TLS: Web server certificates
  • Code Signing: Code signing
  • Email: S/MIME certificates
  • Client: Client certificates
  • Timestamping: Time stamping

By Validation

  • DV (Domain Validated): Domain validation
  • OV (Organization Validated): Organization validation
  • EV (Extended Validated): Extended validation
  • IV (Individual Validated): Individual validation

By Scope

  • Single Domain: Single domain
  • Wildcard: Subdomains of a domain
  • Multi-Domain: Multiple domains
  • Unified Communications: Unified communications

Issuance Process

Certificate Request

  1. Generate CSR: Certificate Signing Request
  2. Validate identity: Verify requester identity
  3. Review policy: Apply CA policies
  4. Issue certificate: Generate and sign certificate

Validation

  • Domain Validation: Verify domain control
  • Organization Validation: Verify organization
  • Extended Validation: Exhaustive validation
  • Individual Validation: Verify personal identity

Installation

  • Web server: Install on server
  • Client: Install on device
  • Trust store: Add to trust store
  • Configuration: Configure applications

Lifecycle Management

Creation

  • Key generation: Create key pair
  • Request: Send CSR to CA
  • Validation: Validation process
  • Issuance: Generate certificate

Distribution

  • Download: Download certificate
  • Installation: Install on system
  • Configuration: Configure applications
  • Verification: Test functionality

Renewal

  • Before expiration: Renew proactively
  • Automatic process: Automatic renewal
  • Validation: Revalidate identity
  • Reinstallation: Install new certificate

Revocation

  • Compromise: Revoke due to compromise
  • Loss: Revoke due to loss
  • Change: Revoke due to data change
  • Expiration: Let expire naturally

Implementation

OpenSSL

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Generate private key
openssl genrsa -out private.key 2048

# Generate CSR
openssl req -new -key private.key -out request.csr

# Verify CSR
openssl req -in request.csr -text -noout

# Install certificate
openssl x509 -in certificate.crt -text -noout

Microsoft Certificate Services

1
2
3
4
5
6
7
8

# Install Certificate Services
Install-WindowsFeature -Name AD-Certificate -IncludeManagementTools

# Configure CA
Install-AdcsCertificationAuthority -CACommonName "MyCA"

# Issue certificate
New-CertificateRequest -Template "WebServer" -Subject "CN=example.com"

Let’s Encrypt

1
2
3
4
5
6
7
8

# Install Certbot
apt-get install certbot

# Obtain certificate
certbot --apache -d example.com

# Renew certificates
certbot renew

Security

CA Protection

  • Hardware Security Module: Physical protection
  • Air-gapped: Network isolation
  • Secure backup: Encrypted backups
  • Restricted access: Access control

Certificate Validation

  • Signature verification: Validate CA signature
  • Validity verification: Check dates
  • Revocation verification: Query CRL/OCSP
  • Chain verification: Validate complete chain

Best Practices

  • Clear policies: Define CA policies
  • Procedures: Document procedures
  • Audit: Regular audits
  • Monitoring: Continuous monitoring

Standards and Protocols

Standards

  • X.509: Certificate standard
  • PKCS#10: Certificate request
  • PKCS#7: Cryptographic message
  • RFC 5280: X.509 certificate profile

Protocols

  • OCSP: Online verification
  • SCEP: Simple enrollment
  • CMP: Certificate management
  • CMC: Management messages

Applications

Web Security

  • HTTPS: Secure websites
  • TLS/SSL: Communication encryption
  • HSTS: HTTP Strict Transport Security
  • Certificate Pinning: Certificate pinning

Email Security

  • S/MIME: Secure email
  • PGP/GPG: Email encryption
  • DKIM: Domain authentication
  • SPF: Sender verification

Code Signing

  • Software: Application signing
  • Drivers: Driver signing
  • Updates: Update signing
  • Mobile: Mobile application signing

Identity Management

  • Smart Cards: Smart cards
  • Tokens: Authentication devices
  • Biometrics: Biometric authentication
  • SSO: Single Sign-On

Monitoring and Auditing

Monitoring

  • Expiration: Expiration alerts
  • Revocation: Revocation monitoring
  • Usage: Usage tracking
  • Performance: Performance metrics

Auditing

  • Logs: Activity logging
  • Compliance: Regulatory compliance
  • Penetration Testing: Penetration testing
  • Vulnerability Assessment: Vulnerability assessment

References