Professional Documents
Culture Documents
ASSURANCE &
SECURITY 1
MODULE 6
MANAGING
CERTIFICATES
OBJECTIVES
Upon completion of this module, the student would be able to:
▪ Define the Certificate Authority (CA) and its goals;
▪ Explain the concepts of certificates;
▪ Demonstrate the operation of Certificate Authentication;
▪ Enumerate the types of CA and services provided
▪ Discuss the CLC Management;
▪ Give different steps of Certificate Life Cycle Management.
▪ Explain the concepts of Certificate Revocation;
OBJECTIVES
Upon completion of this module, the student would be able to:
▪ Discuss the Certificate Revocation List;
▪ Give different certificate revocation protocol
▪ Discuss the Certificate Renewal ;
▪ Give different steps of SSL Enrollment Process.
INSTALL (CA) / ENROLL
CERTIFICATES
Certificate Authority
Certificate Authority (CA) (or Certification Authority) is an entity that issues
digital certificates.
Digital Certificates
CA
Validates and accepts
Issues certificate
certificate
Presents certificate
CA CA
Self-signed certificate
Root CA
Subordinate CA Subordinate CA
Public and Private Roots
Offline root CAs can issue certificates to removable media devices (USB drive,
CD/DVD) and then physically transported to the subordinate CAs that need
the certificate in order to perform their tasks.
CA Hierarchy Design Options
Tight security allows The subordinate CAs are designated by the security required to
individuals to have obtain a certificate. Some CAs may be set up to issue a certificate
differing levels of access with a network ID and password; other CAs may require a person to
to the same resources present a valid driver's license.
A certificate enrollment procedure begins when a user files a certificate
enrollment request with a CA.
Certificate Enrollment Process
Request sent to
2 Authentication 3 Policy applied 4
CA
6 Entity notified
2 Certificate is enrolled 1
Root issues self-signed certificate
1.Certificate Enrollment
2.Certificate Issuance
3.Certificate Validation
4.Certificate Revocation
5.Certificate Renewal
SSL Enrollment Process
The server responds by sending its digital certificate and public key to
2. Response
the client.
5. Communication The session key then becomes the key used in the conversation.
Certificate Trust Chain
Revoked
certificate
Contents of
CRL
A certificate revocation list (CRL) is a list of certificates (or more specifically, a list of serial numbers for
certificates) that have been revoked or are no longer valid, and therefore should not be relied upon.
OCSP - Online Certificate Status Protocol
❑Alternative to CRL
❑HTTP-based
❑Checks specific certificate based on request
❑Sends response with certificate’s status
❑Lower overhead than CRL
❑Lacks encryption
Certificate Renewal
❑Key backup:
✓Restore from backup media
Private Key Replacement Process
1. Recover key
2. Decrypt data
3. Destroy original key
4. Obtain new key pair
5. Encrypt data with new key
• CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide
Paperback – October 12, 2017 by Darril Gibson