INFORMATION

ASSURANCE &
SECURITY 1
 MODULE 6
MANAGING
CERTIFICATES
OBJECTIVES
Upon completion of this module, the student would be able to:
▪ Define the Certificate Authority (CA) and its goals;
▪ Explain the concepts of certificates;
▪ Demonstrate the operation of Certificate Authentication;
▪ Enumerate the types of CA and services provided
▪ Discuss the CLC Management;
▪ Give different steps of Certificate Life Cycle Management.
▪ Explain the concepts of Certificate Revocation;
OBJECTIVES
Upon completion of this module, the student would be able to:
▪ Discuss the Certificate Revocation List;
▪ Give different certificate revocation protocol
▪ Discuss the Certificate Renewal ;
▪ Give different steps of SSL Enrollment Process.
INSTALL (CA) / ENROLL
CERTIFICATES
Certificate Authority
Certificate Authority (CA) (or Certification Authority) is an entity that issues
digital certificates.
Digital Certificates

User with Certificate Device with Certificate

The digital certificate is an electronic document that contains an identity such as

a user or organization and a corresponding public key.
Certificate Authentication

CA
Validates and accepts
Issues certificate
certificate

Presents certificate

Certificate Holder Client

Certificate authentication is the use of a Digital Certificate to identify a user,
machine, or device before granting access to a resource, network, application, etc.
PKI - Public Key Infrastructure
CA issuing
user
certificates
CA

CA CA

Certificates Software Services Other Cryptographic

Components

A public key infrastructure (PKI) is a system consisting of hardware, software,

policies, and procedures that create, manage, distribute, use, store, and revoke digital
certificates.
Public Key Infrastructure
Public Key Infrastructure (PKI) is that it uses a pair of keys to achieve the
underlying security service. The key pair comprises of private key and public
key.
Key Management

Key management refers to

management of cryptographic
keys in a cryptosystem
PKI Components
✓ Public key
✓ Private key
✓ Certificate Authority
✓ Certificate Store
✓ Certificate Revocation List
✓ Hardware Security Module
Root CA

Self-signed certificate

Root CA

Subordinate CA Subordinate CA
Public and Private Roots

Private Root CA Public Root CA

When to use Public CAs?

When we provide services for the general public, we use certificates signed by a “trusted” third-
party.

When to use a Private CAs?

The situation changes completely when private services are provided, which are not for the
general public.
 Offline Root CAs

❑The root CA remains offline.

❑Subordinate CAs will issue certificates.
❑All updates are made only to subordinate CAs.

Offline root CAs can issue certificates to removable media devices (USB drive,
CD/DVD) and then physically transported to the subordinate CAs that need
the certificate in order to perform their tasks.
CA Hierarchy Design Options

Company Profile CA Hierarchy Implementation

Thousands of employees The subordinate CAs are designated by geographic location to

worldwide balance the number of issued certificates among the individual CAs.

The subordinate CAs are designated by function or department so

Individuals need to access
the individual CAs serve groups of people with specific resource
specific applications only needs.

Tight security allows The subordinate CAs are designated by the security required to
individuals to have obtain a certificate. Some CAs may be set up to issue a certificate
differing levels of access with a network ID and password; other CAs may require a person to
to the same resources present a valid driver's license.
A certificate enrollment procedure begins when a user files a certificate
enrollment request with a CA.
Certificate Enrollment Process

Request sent to
2 Authentication 3 Policy applied 4
CA

6 Entity notified

Certificate 7 Certificate installed 5 Certificate issued

1
request
SECURE, RENEW, BACK UP,
RESTORE AND REVOKE
CERTIFICATES
Certificate Life Cycle

3c Certificate expires 3d Certificate is suspended

2 Certificate is enrolled 1
Root issues self-signed certificate

3a Certificate is renewed 3b Certificate is revoked

Certificate Lifecycle
The lifecycle of a certificate can be broken into a handful of distinct steps.

1.Certificate Enrollment
2.Certificate Issuance
3.Certificate Validation
4.Certificate Revocation
5.Certificate Renewal
SSL Enrollment Process

SSL Enrollment Step Explanation

1. Request The client requests a session with the server.

The server responds by sending its digital certificate and public key to
2. Response
the client.

3. Negotiation The server and client then negotiate an encryption level.

Once they agree on an encryption level, the client generates a session

4. Encryption
key, encrypts it, and sends it with the public key from the server.

5. Communication The session key then becomes the key used in the conversation.
Certificate Trust Chain

This multi-leveled hierarchy of trust is called a certificate chain.

Certificate Revocation

❑Private key compromised

❑Fraudulent certificate
❑Holder no longer trusted
CRL - Certificate revocation list

Revoked
certificate

Contents of
CRL

A certificate revocation list (CRL) is a list of certificates (or more specifically, a list of serial numbers for
certificates) that have been revoked or are no longer valid, and therefore should not be relied upon.
OCSP - Online Certificate Status Protocol
❑Alternative to CRL
❑HTTP-based
❑Checks specific certificate based on request
❑Sends response with certificate’s status
❑Lower overhead than CRL
❑Lacks encryption
Certificate Renewal

❑Certificates expire and need to be renewed.

❑Renewal process upholds security and accessibility.
Private Key Protection Methods
❑Back up to removable media
❑Delete from insecure media
❑Require restoration password
❑Never share
❑Never transmit on network
❑Use key escrow
Key Escrow
❑Alternative to key backup.
❑Allows one or more trusted third parties access to the
keys under predefined conditions.
❑Third party is called the key escrow agent.
Private Key Restoration Methods
❑Key escrow:
✓One or more escrow agents can restore

❑Key backup:
✓Restore from backup media
Private Key Replacement Process
1. Recover key
2. Decrypt data
3. Destroy original key
4. Obtain new key pair
5. Encrypt data with new key
• CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide
Paperback – October 12, 2017 by Darril Gibson

• CompTIA Security+ SY0-501 Cert Guide (4th Edition) (Certification

Guide), David L. Prowse (2018)

• CompTIA Security+ Study Guide: Exam SY0-501 7th Edition by

Emmett Dulaney (Author), Chuck Easttom (Author)