Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
20 Cards in this Set
- Front
- Back
|
Define a digital certificate.
|
An electronic document that associates credentials with a public key. Both users and devices can hold certificates. Validates the holder's identity and is also a way to distribute the holder's public key. A Certificate Authority issues certificates and the associated public/private key pairs.
|
|
|
Explain certificate authentication.
|
User presents a digital certificate in place of a user name and password. A user is authenticated if his or her certificate is validated by a certificate authority.
|
|
|
Define PKI.
|
Public Key Infrastructure. Composed of a CA, certificates, software, services, and other cryptographic components, for the purpose of enabling authenticity and validation of data and/or entities. The PKI can be implemented in various hierarchical structures, and can be publicly available or maintained privately by an organization.
|
|
|
List the five PKI components.
|
Digital certificates, to verify the identity of entities.
One or more CAs, to issue digital certificates. A RA, responsible for verifying users' identities and approving or denying requests for digital certificates. A certificate repository database, to store the digital certificates. A certificate management system, to provide software tools to perform the day-to-day functions of PKI. |
|
|
Define PKCS.
|
Public Key Cryptography Standards.
PKCS #7: Cryptographic message syntax standard. PKCS #10: Certification request syntax standard. |
|
|
Define a private root CA.
|
Created by a company for use primarily within the company itself. The root can be set up and configured in-house or contracted to a third-party vendor.
|
|
|
Define a public root CA.
|
Created by a third-party or commercial vendor for general access by the public.
|
|
|
Who are some commercial CAs.
|
Verisign, Comodo, GlobalSign, GoDaddy, and Entrust all provide public certificate services.
|
|
|
Define a subordinate CAs.
|
Any CAs below the root in the hierarchy. Subordinates issue certificates and provide day-to-day management of the certificates including renewal, suspension, and revocation.
|
|
|
What is an offline root CA?
|
To provide the most secure environment possible for the root CA, companies will often set up the root CA and then take it offline, allowing the subordinate CAs to issue all certificates. The root is not patched again once it is taken offline. All updates are installed physically on all subordinate CAs. This strategy ensures that the root CA is not accessible by anyone on the network and thus, is much less likely to be compromised.
|
|
|
Define a certificate policy.
|
Determines what information a digital certificate will contain, what the requirements are to obtain a certificate, and the specifications for the information in the certificate. The CP is developed by representatives from the entire company including management, security, and network architecture. After the CP is finalized, the CA software is configured to implement the stated policy. Each policy meets specific business requirements, and a company can have multiple policies active at any time.
|
|
|
Define a CPS.
|
Certificate practice statement. Specifies how a particular CA will manage its certificates based on the certificate policy for that CA. For example, the CP may require a photo ID be presented to obtain a certificate. The CPS will state that users can go to a designated local registration authority and present their driver's license to meet this requirement.
|
|
|
What's the difference between multiple key pairs and a dual key pair?
|
Multiple key pairs: More than one key pair used for multiple certificate policies.
Dual key pair: A single certificate that combines services, such as encryption and digital signatures. |
|
|
What is the certificate life cycle?
|
Issuance, enrollment, expiration, revocation, suspension, renewal.
|
|
|
In the certificate life cycle, what is performed in the issuance phase?
|
The life cycle begins when the root CA has issued its self-signed key pair, the root CA then begins issuing certificates to other CAs and end users.
|
|
|
In the certificate life cycle, what is performed in the enrollment phase?
|
Users and other entities obtain certificates from the CA through certificate enrollment.
|
|
|
In the certificate life cycle, what is performed in the expiration phase?
|
Certificates expire after a given length of time, which is established in the certificate policy and configured in the issuing CA. The expiration parameter is part of the certificate data. If the root CA's certificate expires, the entire CA becomes inactive.
|
|
|
In the certificate life cycle, what is performed in the revocation phase?
|
Certificates can be revoked before their expiration date, which renders them permanently invalid. Certificates can be revoked for a variety of reasons, including misuse, loss, or compromise.
|
|
|
In the certificate life cycle, what is performed in the suspension phase?
|
Some CAs support temporary suspension of certificates, in addition to permanent revocation.
|
|
|
In the certificate life cycle, what is performed in the renewal phase?
|
Certificates can be renewed more than once - again, depending on the CP parameters.
|
