Public Key Infrastructure (PKI)

Dealing with brick-and-mortar businesses gives us plenty of opportunity to develop trust with a vendor. We can see the store, talk to the employees, and get a good look at how they do business. Internet transactions are far less transparent. We can't see who we are dealing with, don't know what type of operation they really run, and might not be sure we can trust them. The public key infrastructure (PKI) was made to address these concerns and bring trust, integrity, and security to electronic transactions.

PKI is a framework that consists of hardware, software, and policies that exists to manage, create, store, and distribute keys and digital certificates. The components of this framework include the following:

  • The Certificate Authority (CA)
  • The Registration Authority (RA)
  • The Certificate Revocation List (CRL)
  • Digital certificates
  • A certificate distribution system

Certificate Authority (CA)

The best analogy of a CA is that of the Department of Motor Vehicles (DMV). This is the state entity that is responsible for issuing a driver's license, the gold standard for physical identification. If you cash a check, go to a night club, or catch a plane, your driver's license will be the one document universally accepted at all these locations to prove your identity. CAs are like DMVs: They vouch for your identity in a digital world. VeriSign, Thawte, and Entrust are some of the companies that perform CA services.

Now, a CA doesn't have to be an external third party; many companies decide to tackle these responsibilities by themselves. Regardless of who performs the services, the following steps must be performed:


The CA verifies the request for certificate with the help of the RA.


The individual's identification is validated.


A certificate is created by the CA, which verifies that the person matches the public key that is being offered.

Registration Authority (RA)

The RA is like a middle man: It's positioned between the client and the CA. Although the RA cannot generate a certificate, it can accept requests, verify a person's identity, and pass along the information to the CA for certificate generation.

RAs play a key role when certificate services are expanded to cover large geographic areas. One central CA can delegate its responsibilities to regional RAs, such as having one RA in the United States, Canada, Mexico, and Brazil.

Expect to see exam questions that deal with the workings of PKI. It's important to understand that the RA cannot issue certificates.


Certificate Revocation List (CRL)

Just as with a drivers licenses, digital certificates might not always remain valid. Individuals might leave the company, information might change, or someone's private key might become compromised. For these reasons, the CRL must be maintained.

The CRL is maintained by the CA, which signs the list to maintain its accuracy. Whenever problems are reported with digital certificates, they are considered invalid and the CA has the serial number added to the CRL. Anyone requesting a digital certificate can check the CRL to verify the certificate's integrity.

Digital Certificates

Digital certificates are at the heart of the PKI system. The digital certificate serves two roles. First, it ensures the integrity of the public key and makes sure that the key remains unchanged and in a valid form. Second, it validates that the public key is tied to the stated owner and that all associated information is true and correct. The information needed to accomplish these goals is added into the digital certificate. Digital certificates are formatted to the X.509 standard. The most current version of X.509 is version 3. One of the key developments in version 3 was the addition of extensions. Version 3 includes the flexibility to support other topologies, such as bridges and meshes. It can operate as a web of trust, much like PGP. An X.509 certificate includes the following elements:

  • Version
  • Serial number
  • Algorithm ID
  • Issuer
  • Validity

    • Not Before (a specified date)
    • Not After (a specified date)
  • Subject
  • Subject public key information

    • Public key algorithm
    • Subject public key
  • Issuer-unique identifier (optional)
  • Subject-unique identifier (optional)
  • Extensions (optional)

The Client's Role in PKI

Now, it might seem that, up to this point, all the work falls on the shoulders of the CAs, this is not entirely true. Clients are responsible for requesting digital certificates and for maintaining the security of their private key. Loss or compromise of the private key would mean that communications would no longer be secure. Loss of the private key would be devastating. If you are dealing with credit card numbers or other pieces of user identity, this type of loss of security could lead to identity theft.

Protecting the private key is an important issue because it's easier for an attacker to target the key than to try to crack the certificate service. Organizations should concern themselves with seven key management issues:

  • Generation
  • Distribution
  • Installation
  • Storage
  • Key change
  • Key control
  • Key disposal

The CISSP Cram Sheet

A Note from Series Editor Ed Tittel

About the Author


We Want to Hear from You!



The CISSP Certification Exam

Physical Security

Security-Management Practices

Access-Control Systems and Methodology

System Architecture and Models

Telecommunications and Network Security

Applications and Systems-Development Security

Operations Security

Business Continuity Planning

Law, Investigations, and Ethics


Practice Exam 1

Answers to Practice Exam 1

Practice Exam 2

Answers to Practice Exam 2

CISSP Exam Cram 2
CISSP Exam Cram 2
ISBN: 078973446X
EAN: 2147483647
Year: 2003
Pages: 204
Authors: Michael Gregg © 2008-2020.
If you may any questions please contact us: