What is Public Key Infrastructure?
Public Key Infrastructure (PKI) is used to store, create, manage and distribute digital certificates. A public key is bound to a specific user by the certificate authority (CA) and issues the digital document containing the encrypted public key that is known as a certificate.
The Public Key Infrastructure works as long as the certificate authority is trusted and can be issued by that authority. The certificate authority can be installed onto a company server or a third party certificate authority can be used, such as Verisign.
The purpose of this Public Key Infrastructure process is to digitally sign a document so that it can be verified as belonging to a particular user or device over the network.
A digital certificate will be given an expiration date and it can also be revoked if it was compromised or if the certificate was discovered to have been improperly issued or if the token containing the private key has been lost or stolen from the user. A certificate revocation list consists of a list of certificates revoked or that are no longer valid. The most common digital certificate is X.509 version 3 standard that specifies the certificate format, revocation list, attribute certificates and path validation algorithm.
If a Windows server hosts a certificate authority the Enterprise Root CA is given the highest level of certificate authority and, once configured, registers automatically within the Active Directory with all the computers within the domain trusting it.
A stand-alone certificate authority can be used to support external devices or users and this does not use Active Directory.
Digital certificates are used in public key cryptography functions such as within secure SSL that provide a secure connection between Internet browsers and web servers.
Main Types of Digital Certificates
The three main types of digital certificates used by Internet browsers and web servers being:
- Domain Validated (DV SSL) Certificates – These require that the applicant can demonstrates that they have a right to use the domain, they do not provide any guarantee about the applicant.
- Organization Validated (OV SSL) Certificates – Require the applicant to prove that they had a right to use the domain and require further confirmation of ownership.
- Extended Validation (EV SSL) Certificates – These are issued once the applicant has proven their identity and includes the verification that the applicant exists and matches the official records as well as that they are authorised to use the domain and that the owner of the domain has authorised the release of the certificate.
Main Digital Certificate File Formats
Digital Certificates can be imported and exported within different formats being:
- PKCS #12 or PFX – Personal Information Exchange – This format allows the certificate and the private key to be exported and normally has a .p12 file extension.
- PKCS #7 – Cryptographic Message Syntax Standard – Allows the storage of certificates and the certification path within a file with .p7b or .p7c file extension.
- DER-encoded binary X.509 – Distinguished Encoding Rules – allows the storage of a certificate, though not the certification or private key, within a .cer, .crt or .der file extension.
- Base64-encoded binary X.509 – Storage of a single certificate though not the certification path or private key.
The Certificate Chain
The certificate path or certificate chain consists of a list of certificates including SSL and Certificate Authority certificates that allow for the recipient to verify the sender and CA.
The chain starts with the SSL certificate and then each subsequent certificate is signed by the item that is identified within the next certificate, or Intermediate Certificate, in that chain.
- The chain begins with the certificate of the entity.
- Each certificate is issued with a matching subject of the next certificate.
- Each certificate in the chain should be signed by the key relating to the next certificate.
- The last certificate is known as the root CA certificate.
The majority of operating systems include a list of root certificates to act as trust anchors for applications and some applications, including some Web browsers also include their own list of trust anchors.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0330 123 4448 or
via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any
computer forensic investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited
to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.