Please enable JavaScript.
Coggle requires JavaScript to display documents.
3 - Public Key Infrastructure - Coggle Diagram
3 - Public Key Infrastructure
Certificate authority
Offer notarization services for digital certificates
Registration authority
Assist CAs with the burden of verifying users' identities prior to the issuance of digital certificates
Certificate life cycle
Enrollment
Give your Certificate Signing Request (CSR) and get a signed certificate with your public key
Types of certificates
Domain Validation (DV) certificate
Extended Validation (EV) certificate
Verification
Check digital signature, check validity period, check that the certificate is not list on a Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP)
Certificate pinning = make the browser associate a site with their public key to notice an unexpected change
Revocation
Certificate Revocation Lists (CRL) maintained by various CA, BUT it is asynchronous and can lead to race condition
Online Certificate Status Protocol (OCSP): real-time certificate verification
Certificate stapling: the web server is caching is OSCP response and sending it to the client requests
Certificate formats
Distinguished Encoding Rules (DER): binary format (.der, .crt, .cer)
Privacy-Enhanced Mail (PEM): ASCII text version of the DER format (.pem, .crt)
Personal Information Exchange (PFX): binary format for WIndows (.pfx, .p12)
P7B certificates: Windows with ASCII text format (.p7b)
Governance
Plan key rotation