Term
| Use Case: Computer Certificate |
|
Definition
- You have to manage many devices
- You must ensure only authorized devices are used
- You must allow remote access through VPN to authorized devices only
|
|
|
Term
|
Definition
- CA
- Intermediate CA
- CRL
- OCSP
- CSR
- Certificate
- Public key
- Private key
- Object identifiers (OID) |
|
|
Term
|
Definition
- DER
- PEM
- PFX
- CER
- P12
- P7B |
|
|
Term
|
Definition
- Wildcard
- SAN
- Code signing
- Self-signed
- Machine/computer
- Email
- User
- Root
- Domain validation
- Extended validation |
|
|
Term
|
Definition
| -A certificate that applies to all servers within a dns domain |
|
|
Term
| Public key cryptography standard #7 (P7B) |
|
Definition
| -A file extension used for Cryptographic Message Syntax standard |
|
|
Term
| Extended Validation Certificate (EV) |
|
Definition
-Additional Checks verified the cert owner's identity
-Green name on the address bar |
|
|
Term
|
Definition
-April 2014 CVE-2014-0160
-OpenSSL flaw put private key of web servers at risk
-Required older certs to be moved to CRL
-Required generation of new certificates |
|
|
Term
|
Definition
-Asymmetric to exchange the secret key used for symmetric encryption
-Symmetric encryption used for the rest of the communication |
|
|
Term
|
Definition
-Chain of trust from Root CA through each subordinate CA
-Starts at SSL certificate on a web server and ends at root CA |
|
|
Term
|
Definition
-Cross certifying CA's
-Each subscriber
trusts the CA that issued that subscriber’s certificate(s)
-no superior/ subordinate relationship
-Doesn't scale well. |
|
|
Term
|
Definition
-Device Authentication
-Putting a certificate on a device
-Allows VPN access to authorized device |
|
|
Term
|
Definition
-Every server is it's own CA
-Every server stores a copy of every public cert for every server
-commonly used with PGP
-People sign other peoples certs |
|
|
Term
| Subject Alternative Name (SAN) |
|
Definition
-Extension to X.509 cert
-Lists additional identification info
-Allows a cert to support many different domains |
|
|
Term
|
Definition
-For OCSP
-the device that holds the certificate will also be the one to provide status of any revocation |
|
|
Term
|
Definition
| -Held by owner to sign material for public use |
|
|
Term
|
Definition
-Issuer
-Creates keys
-Usually used to provide keys for intermediate servers |
|
|
Term
| privacy enhanced mail format (PEM) |
|
Definition
-One of the most common certificate file formats
-ASCII readable
-supported across many different applications on many different operating systems |
|
|
Term
| Domain Validation Cert (DV) |
|
Definition
| -Owner has control over a DNS domain |
|
|
Term
|
Definition
-Prevents MiM attacks
-Public Key Certificate hard coded into application
-App is compiled with certificate embedded |
|
|
Term
Concepts
- Online vs. offline CA |
|
Definition
-Root CA is kept offline and secured
-Only Subordinate CA's are online |
|
|
Term
|
Definition
-Root CA with subordinates
-Each subordinate CA may issue certificates to users or another level of subordinate CAs |
|
|
Term
|
Definition
-Sent to authority to be signed
-Used to prove something has come from you authentic (non-repudiation)
-On a web server certificate this would be viewable
-Proves that something has not been tampered with |
|
|
Term
|
Definition
-Similar to P12
-Microsoft Standard
-Used to transfer private key |
|
|
Term
|
Definition
-Start of the PKI infrastructure
-Issues certs to subordinates |
|
|
Term
|
Definition
| -Used on software to guarantee the source |
|
|
Term
|
Definition
| -Used to create and store public keys for users, organizations, and subordinate servers |
|
|
Term
|
Definition
| -Used to request that a CA sign your public key |
|
|
Term
|
Definition
-When a server creates it's own certificate
-No CA involved |
|
|
Term
|
Definition
-X.509 Version
-Serial Number
-Signature Algorithm
-Issuer
-Date time validation
-Name of Certificate holder
-Public Key and algorithm
-Extensions |
|
|
Term
|
Definition
-a file extension for an SSL certificate --file extension for format used by Web servers to help verify the identity and security of the site in question
-commonly found file extension in windows
-formatted with binary DER format or ASCII PEM format |
|
|
Term
| public key cryptography standards #12 (P12) |
|
Definition
-a personal information exchange syntax standard that was created by RSA and is now part of an RFC standard
-Container format Used to store many different kinds of certificates
-Often used to send public key private key pair
-Can be password protected |
|
|
Term
| distinguished encoding rules (DER) |
|
Definition
-binary format
-designed for X.509 certificates
-common format used across many different platforms
-Often used with JAVA certificates |
|
|
Term
|
Definition
-can be assigned to web server for SSL encryption
-certificate authority is confirming that the person receiving the DV certificate has some control over the domain associated with the SSL certificate |
|
|
Term
|
Definition
-certificate authority performs additional checks of the person that is receiving the certificate
-a special certificate that has the green name of the organization that appears to anyone who connects to that web server over an encrypted channel |
|
|
Term
|
Definition
-certificate used with smart card
-certificate could be stored on mobile device |
|
|
Term
|
Definition
-describes the policies, the procedure, the hardware, the software, and the people that are used to manage digital certificates
-the process of creating, distributing, managing, storing, and revoking certificates |
|
|
Term
|
Definition
-for revoking certificates
-tells which certs have been revoked |
|
|
Term
| OCSP Online Certificate Status Protocol |
|
Definition
| -online access for browsers to find CRL for a CA |
|
|
Term
|
Definition
-someone else may have access, or hold, your decryption keys
-private keys would be in the hands of a third party and that third party |
|
|
Term
|
Definition
-using a recipient’s public key to encrypt the contents
-only the recipients private key can decrypt
-nothing has changed since signed |
|
|
Term
| Subject Alternative Name (SAN) |
|
Definition
-web server certificates that support many different domains in exactly the same certificate
-Multiple DNS names associated with this particular certificate |
|
|
Term
| Different Types of PKI models |
|
Definition
Hierarchical
Bridge
Hybrid
Mesh |
|
|
Term
|
Definition
| dot-separated series of numbers such as 2.23.140.1.2.1. viewable on the General tab of the certificate. |
|
|
Term
|
Definition
-Max Key Size 256
-Fixed length |
|
|
