📖 What is PKI?
Public Key Infrastructure (PKI) is a comprehensive system for managing digital certificates, public and private key pairs, and Certificate Authorities (CAs). It establishes a trusted framework for secure communication and authentication by verifying identities and enabling encrypted data exchange.
"Understand the components of a PKI: Registration Authorities (RAs), Certificate Revocation Lists (CRLs), and Online Certificate Status Protocol (OCSP). Be prepared to discuss the trust model inherent in PKI and the potential risks associated with compromised CAs. Know the different certificate types and their intended uses."
📚 Certification: Certified Information Systems Security Professional (CISSP)
🔑 What are the Key Concepts of PKI?
- ▸ PKI relies on a hierarchical trust model, starting with a Root CA and extending to subordinate CAs, ensuring certificate validity through chain of trust.
- ▸ Digital certificates bind a public key to an identity, enabling verification of authenticity and integrity during communication and transactions.
- ▸ Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) are crucial for determining if a certificate is still valid and hasn’t been compromised.
- ▸ Registration Authorities (RAs) verify the identity of certificate applicants before submitting requests to the CA, adding a layer of security.
- ▸ Understanding certificate types (SSL/TLS, code signing, email) and their specific uses is vital for applying PKI effectively.
🎯 How does PKI appear on the CISSP Exam?
You may be asked to identify the component responsible for verifying the identity of an entity requesting a digital certificate within a PKI system.
A scenario might describe a security incident involving a compromised Certificate Authority – expect questions about the impact and mitigation strategies.
Expect questions about choosing the appropriate certificate revocation method (CRL vs. OCSP) based on performance and real-time validation requirements.
❓ Frequently Asked Questions
What is the difference between a Root CA and an Intermediate CA?
A Root CA is self-signed and at the top of the trust hierarchy. Intermediate CAs are signed by the Root CA and issue certificates to end entities, reducing risk to the Root CA.
How does OCSP differ from CRLs in terms of certificate status checking?
OCSP provides real-time certificate status verification, while CRLs are periodically updated lists. OCSP is generally faster and more efficient, but relies on a functioning OCSP responder.
What are the implications of a compromised private key associated with a CA?
A compromised CA private key is a catastrophic event. All certificates issued by that CA are no longer trustworthy and must be revoked, requiring a complete re-issuance process.