Understanding of Security Certificates

 PKI

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The PKI is used for Web Application Authentication, VPN Authentication, email security, Wi-Fi Authentication.  

PKI provides Confidentiality, Integrity and Authenticity.

The components of PKI

• Public key and Private key
• Certificate Authorities (CA)
• Root CA and Intermediate CA
• Digital Certificates
• Certificate Store (Trust Store & Identity Store)
• Hardware security Module (HSM)

Public Key

A Public Key is a cryptographic key that can be distributed to the public and does not require secure storage. Messages encrypted by the public key can only be decrypted by the corresponding private key.

Private Key

Private Keys are used by the recipient to decrypt a message that is encrypted using a public key. Since the message is encrypted using a given public key, it can only be decrypted by the matching private key. This establishes the ownership of the private and public key, ensuring the message is only read by the approved parties.

Certificate Authorities (CA)

A Certificate Authority is a trusted authority that issues digital certificates to the users. The user/owner generates a public-private key pair. The private key is kept secret by the owner. The public key and cert related information are sent to the CA. The CA then creates a digital certificate using public key and certificate information. The digital certificate is signed by the CA with its own private key.

Root CA

A root certificate is a public key certificate that identifies a root certificate authority (CA). Root certificates are self-signed. A root certificate is the top-most certificate of the tree, the private key of which is used to "sign" other certificates. Root certificate requires the highest level of physical and logical security. These certificates stay offline and not connected to any other certificates.

Intermediate CA

An intermediate CA is also a trusted CA . Intermediate certificates are used as a proxy because root certificate must be kept behind numerous layers of security.The CA signs the intermediate root with its private key, which makes it trusted. Then the CA uses the intermediate certificate’s private key to sign and issue end user SSL certificates. This process can play out several times, where an intermediate root signs another intermediate and then a CA uses that to sign certificate. These links, from root to intermediate to leaf – are the certificate chain.

Digital Certificates

A Digital Certificate is an electronic "password" that allows a person, organization to exchange data securely over the Internet using the public key infrastructure (PKI). Digital Certificate is also known as a public key certificate or identity certificate. The most widely accepted format Digital certificates are defined by X.509 international standard.

Certificate Store (Identity Store & Trust Store)

A Certificate Store is used to store certificates and can potentially contain certificates from multiple CAs. Identity store is keystore where private and digital certificates are stored. Trust store will have trusted CA certificates and non-sensitive data. Identity store must be protected by operating system for both reading and writing by non-authorized users. Trust store need to be write protected.

The identity store password is generally known to fewer people than the password for the trust store. Identity and trust certificates can be combined in one keystore but it is not recommended.

Certificate Encoding formats:

Base64 : Base64 encodes the files into ASCII text format

PEM    : ASCII format.Privacy Enhanced Mail is the most common format that CAs use when issuing the certificates. File extensions are .pem, .crt, .cer, .key.

DER    : Binary format. Distinguished Encoding Rules supports storage of single cert. Doesn't support storage of private key or cert path.

Certificate Extensions:

PFX/P12/PKCS#12: Binary format for storing the server certificates. Extensions are .pfx or .p12.

PKCS#7/P7B : Uses Base64 ASCII. Private keys can't be stored.

SSL/TLS

SSL and TLS are both cryptographic protocols that provide authentication and data encryption between servers, machines, and applications operating over a network. SSL is no longer supported in many organizations.