CompTIA Security+ SY0-601 – 3.9 Implement public key infrastructure. Part 1
In this video, I’m going to be talking about the public key infrastructure. What exactly is it, where do we use it, and what you need to know about it for your exam. So let’s get started. So before I get into this, I want to just quickly remind you where we left off in the topic of hybrid cryptography. So remember, hybrid cryptography was when we used symmetric and asymmetric in order to pass data. So what you were doing was that you were encrypting data with the symmetric encryption, but you were passing the symmetric keys using asymmetric keys. So, for example, if I wanted to send data to the Amazon web server, what I would do is tell Amazon, hey, give me your public key. I would receive the Amazon public key. I would create a symmetric key or a session key. I would encrypt it with Amazon public key and send it to Amazon.
Amazon would then decrypt it with their private keys and they have the session key and I have it or the symmetric key, same thing. And then all data communication between me and Amazon is done with that symmetric key that includes web pages and credit card information. And whatnot the question is, how did I get Amazon’s public key? And that is done with a certificate. So if I go here to my Chrome browser, where is that? And I go to Amazon. How did I get Amazon’s Public Key? And that is with this certificate. So a certificate right here is Amazon’s public key. So a certificate basically helps to prove the identity of Amazon. A certificate is basically like a driver’s license that proves that this is Amazon. This is the Amazon Certificate. This is their public key. The subject is amazon. This is who Amazon is. Notice the certificate is issued to www. amazon. com. Here’s the organization. It’s in Seattle, Washington.
So the certificate is basically like the Amazon’s driver’s license, proven who they are with their public key. So that brings me, why do we want to use certificates? Well, because certificates, of course, does basically two main things. It allows you to prove your identity of who you are. So if I have a certificate, if I set up a website, a certificate on my website, and you want to come to my website, my website can prove to your computer that, hey, that’s my website. And it allows me to give you my public key to start the SSL TLS. By the way, SSL TLS for our exam is the same thing. It allows us to start the TLS connection. So in certificates, how do we get it, where do we go to get it? And what are certificate authorities? Well, certificate authorities, the CA, the Certificate Authority is the machine that is digitally signing these certificates involved in fear, identity.
That’s who they are. And these are the machines, I should say, and the organizations that issues out the certificate. So with that, I’m going to give you some terms, okay? Two terms that I want you to know. PKI and certificate authority. These are two terms you’re going to hear a lot. Public key infrastructure is the infrastructure that’s set up within the organization to give you a CA. By setting up PKI, you get a certificate authority. Now the certificate authority is what’s going to give you the ability to issue out certificates to your users and your computers and sign certificates and volunteer the identity of those users and computers within the organization. Publicly trusted certificate authorities that you would have around you like DigiCert, Komodo, GoDaddy. These are public certificate authorities and vouchers for the identity of public businesses such as Amazon. So if we take a look at the Amazon certificates, you notice that this is issued to Amazon by DigiCert. So DigiCert is saying, hey, this is Amazon because I said so, right? Because DigiCert said so.
Now, do we trust DigiCert? Yeah, we trust DigiCert because they are a trusted certificate authority. And I’ll show you in the browser how where you trust these things coming up a little bit later. So this is just the basis of SSL of CAS. We go to certificate authorities to get a certificate. We get the certificate, we are able to install it on our computers. That way when people come to our website, we are able to prove to them, hey, we’re or Amazon and we’re able to give them our public key. That’s really the basics of what you need to know in terms of the process. Now, how you request a certificate, where do you go to get the certificate that we’re going to get into in the next video? And then we’ll take a look at the whole process of how it signs, it gives it to us and so on. So I hope this is just a quick introduction to it. Let’s keep going.
In this video I’m going to be going through the process of how to obtain a certificate from a certificate authority. We’ll take a look at a variety of different terms you’ll need to know for your exam and you’ll see the process of getting a certificate. If you ever want to set up a web server, and particularly I would be using a Windows Web Server IIS to do it. So let’s get started. So you want, want to set up a web server. You need a certificate in order to do your SSL. But how do you get a certificate on your server? Now we talked about the previous video, we talked about the importance of a certificate that allows you basically to prove your identity, allows you to pass around your public key so you can set up these SSL connections. Well let’s take a look at some terms. Here how to do this. So the first thing we’ll take a look at is you what is known as the subject.
So the subject is more than likely going to be the organization’s web server if you’re getting the certificate for your web server. Now the other entity that we need to talk about that you’re going to be talking to is the RA, the registration authority. And the registration authority will talk to the CA, the certificate authority. So when you want a certificate you’re going to create what is known as the CSR certificate sign in request. A CSR is basically a request telling the registration authority that hey, I need a certificate for my web server. Now the registration authority is basically the entity or the computer. It’s not really a computer, it’s basically the entity that’s going to verify your physical identification. Oh, is that Bob? You have to prove your driver’s license.
You have to submit your driver’s license to the registration authority or prove that the organization actually owns that business. That way you can go create get a certificate for Amazon. com. It’s not just going to have to prove that you really are Amazon. Now just a quick note, the registration of the target in the CA are always the same. No, let’s not say always, let’s say 99. 9% of the time the same entity. So generally people don’t refer to them as registration, they just say the CA like digitsert would be its own registration and CA. So digit cert a part of the organization of DigiCert would be validating people’s identity and DigiCert’s technical infrastructure would be the CAS that actually should be certificate. Just a side note, okay, so you send your certificate sign and request the registration authority.
The registration authority will then verify your identity and once it does that so once this happens then it comes and it tells the CA hey, this guy is good, you can give this guy a certificate. Here’s the CSR again. The certificate authority then creates the certificates with all the different fields that you would find on it how long it’s going to be valid for, visit your domain name. It’s going to do it with some of your organizational information on it. And of course, the CA is going to digitally sign it. Remember, the CA digitally signs these certificates with its private key. All right? So it signs it with its private key. So let’s say PRK there. Now, once it signs it and it sends it back to you, you basically install it and you have a certificate on your web server and you’re ready to go.
That’s all this process is. And it’s that easy to get a certificate. It’s not a hard thing to do. Let me show you what I mean. I have my Windows Server here. Let me close this out here. I’ll show you how to get to it. So I have on my Windows Server, I have installed a Role. I’ll show you guys this role. So the role I have installed is the IIS web server. This one. So this is the IIS. This is a Windows Web server. Popular server? I guess not. So as popular as Linux based servers are, but for organizations that does create applications on Windows Server, net applications and so on, will use this to run their apps. Okay, so I installed the IIS web server. I’m going to go here to Tools and I’m going to open up the Internet Information Service Manager. So this is my website. Now, I haven’t put anything on it. I just have the default website that comes pre installed with it.
So what I want to show you guys is how we’re going to create this request. And you’re going to see it’s a very simple thing. Basically, I’m going to go here to where it says Server Certificates. We’re going to go right here to where it says create a certificate request. Give it a common name. I would just call it web server. For now, the organization is ARNC my fictitious company Web. Let’s find the organizational unit. We’re in New York, New York. Click on next. We’ll do an RSA key of 2048 bits. Fine. And I’m going to save this one here in the My Documents, in the Documents folder with the name Web Server. And here we go. Web server. And I click on finish. Now basically it doesn’t look like anything happened, but what it did was that it created a certificate request file. Let’s open up our Explorer here. And I’m going to go to documents.
Here’s the web server text file that I just did. And basically you’ll notice that how this looks. It looks like all givers to you, but the certificate authorities know what to do with this. So we would submit this to the certificate authority. So if you’re getting a public certificate, you would submit it to like DigiCert or GoDaddy or Komodo certificate. You would submit this file to them and they would give you back another file that’s called a CER file. Now we’re going to cover these formats a little bit later, right? So don’t worry about this. We’ll cover these things a little bit later. We just go through the process. So once you submit it, they’re going to give you back one of these files. And once they give you back that, then you would right click and you would say complete the certificate request. And then you would select that file.
Notice it’s looking for that Cr file. Say this is for web hosting. It will say, okay, now you have a certificate installed on your server and then from here you can go and you can assign it to the websites by doing the SSL settings. Don’t forget to do a binding operation to enable SSL on your website. And that is as hard as it gets basically. So you would have to submit it. The certificate authority would then give you back a file and you’re basically ready to go. And that’s it. You set that up and you start using SSL automatically. That is all there was to it. Not very complex how to set it up. Setting up and getting certificates to website is the easy part. Understand all these terminologies. That of course could be the hard part.
In this video I’m going to be talking about the structure of how certificate authorities are structured, how the PKI basically is structured. We’ll see how they’re set up. We’ll also take a look at what happens when certificates become invalid and then we’ll end it off by talking about self signed versus publicly trusted certificate kits. So quite a lot of stuff going on in this video. Let’s get started. Whole lot of terms to cover. So let’s start out by talking about in the previous video we saw the attributes of a certificate. We saw basically how the certificates are issued out from the CA to the web servers and so on. So now I want to talk about that structure of the PKI. How is it structured, where do we get certificates from? And this is going to bring me to a concept called root CAS and intermediate CAS.
So let’s take a look here. So I’m going to draw a quick diagram here. At the top of the organization you’re going to have what’s known as a root CA, a root certification authority. Now if you go and you set up a PKI in your organization, that first initial certificate authority that you set up is considered the root CA. The root CA is that first certificate authority that’s created. Now this root CA could issue out certificates to users, to computers, to web servers and so on. You could issue out certificates with it. The problem with this is that if this route ever gets compromised, all the certificates you have ever issued will be invalid. Now remember how certificates work. Basically it validates the public key of that users and proves the identity of that person.
How is it doing it though? Because the way it does it is that it takes the certificate, puts the public key on it, it puts all the information, the CNA and the subject name and so on so on, puts all the information on it, it hashes it and then it encrypts it with its private key. That’s the digital signature, right? You remember that from previous videos. So the CA has that almighty private key that it’s signed on all the certificates with. Some hacker breaks in or Malware gets in and the CA, the root CA, loses that private key. All certificates are invalid. Organizations don’t want that. You don’t want that single point of failure. So what you’re going to do is you’re going to create what is known as intermediate CAS. So intermediate CAS you’re going to use maybe you have one intermediate one, intermediate two and intermediate three.
Now what this is doing is this is basically creating what’s known as certificate chain in. So here you have one level and you have another level of trust that’s happening. This is also going to be called your trust model, certificate trust model. So because this root CA is going to issue out a certificate to the intermediate below, it also called subordinate CAS. So this create a trust between them and then these intermediate is what’s, issuing the certificates to the users, right? Maybe this one, maybe you designate this one to the users. Then this one does for computers, then this one does for service. But you’re also issuing certs here. So the intermediate certificate authorities is what’s actually issuing out the search.
Now, why do you want this set up? Because that way if one of these intermediates ever get compromised, you don’t actually have to throw away all the certificates from all the other ones, just that ones. If the ones for users get compromised, just reissue. You use new user search. You don’t have to reissue ones for computers. Now, a couple of things to keep in mind is that when you’re doing this kind of setup, that root CA doesn’t need to be online. In fact, that root CA is offline and the intermediates is the ones that are online. Okay, so how is that? Why is that? Well, because, you see, that root CA is still the almighty route. The root CA is issued out certificates to the subordinates to the intermediates. The issue out certificates to the user. If you compromise the root CA, you compromise all the intermediate, all the search of them.
So what organizations do is they take the root CA completely offline. Remember the world’s most secure machine turned off and unplugged. If this root CA is a physical machine, disconnected, plug, unplugged off the network, put in a vault 500ft down in the 500ft down in the Earth and Swiss Alps, I think DigiCert, or what used to be known as Verisign used to do that. So you want to take it offline. It’s a virtual machine disconnected off the network, keep it on a hard drive farm to free down the Earth. You see, the root CA only needs to come online when you need to reissue a new certificate for one of these intermediate CAS, right? It doesn’t need to be online all the time because if it gets compromised and all your intermediate to compromise and all of the certificates that was issued in your entire organization is compromised, you don’t want that.
So here we have a great set up. Now I want to show you this. I want to show you. So here I am at Google, and if I go to Google certificate, we can see that certificate chain here. So notice the certificate was issued by this intermediate certificate. So if I look at here, I could see the certificate here. So notice this one is valid for four years. And this one here, this is the global sign CA, the Google Trusted Services. This one here, notice that this one is valid for a long time. So the original root CAS themselves, their certificates are valid for very long because they don’t issue out a lot of certificates. Who’s doing it? These intermediate certificates. So the root CA, when Google set this up, they did it for 15 years. So you notice Google has their own trust, google owns their own intermediate and their own root CAS. Well that’s going to be a little different if we take a look at Microsoft.
So Microsoft doesn’t have that infrastructure or wants to have, I guess that infrastructure that Google has because when I took a look at it the other day I realized that yeah, this one is Microsoft. But then you notice this intermediate is Microsoft too. That’s very unique, right? Even just to have your own intermediate certificate. But what Microsoft did and here’s the Microsoft intermediate certificate. Notice this one is valid for four years. But notice Digice Cert is the name at the top. So Digitserter is having a trust relation, basically a trust model with Microsoft. Then Microsoft issues their own certificate. So here you have Digits Cert at the top. If I say this one digits Cert, this one is valid for 25 years. This is the original root CA that’s used to create these subordinates. I’m 100% sure not even 99.
This root CA is not online. It’s completely offline. You can never get access to this machine through digital means because this machine is probably stored, the physical box or the VM is stored in some vault somewhere. It’s probably a physical box. In the year 2000 when it was made, this machine did anything that virtualization done. So this brings me to another topic we looked at, digital Survey looked at how did your computer know what certificate to trust? Well that’s because your browser, your browser has a, your browser, your computer has a list of CAS that it trusts. I want to show you that. So I’m going to open up and go to window R and I’m going to type MMC for Microsoft Management console.
And I’m going to open up a Microsoft Management Console. I’m going to go to File, add, remove, snap in and we’re going to go to Certificates. My user account is fine. I’m going to click OK. Now in here has a bunch of trusted root certification authorities that receive. So remember one of them there I think was Google was this global sign here, my computer is trusting it. Here’s a bunch of digitsert, ones that the Microsoft was using. That’s why we trust that. So we have all these trusted roots CA certificates on our computer. And while as long as these root certificate authorities, we trust them and they trust the intermediate and the intermediate trust certificate, then we trust the certificate. You see that chain there in the service called a certificate chain. That’s why it’s a trust model, right? Everybody trusts everybody.
Okay? Sometimes the certificate that you get becomes invalid. Why is that? You see, first of all, the certificate can expire, but I’m not talking about that. I’m talking about getting it compromised. You have a web server, you’re doing fine. Then one day you realize there was malware in your web server. What do you do? Well, what you got to do is you got to call Verisign and says, hey, my certificate was revoked. I’m sorry, my certificate was compromised. They stole my private key. So what digits her does is they revoke your certificate. Now when you go to a website and that website had a certificate that was revoked, what that means is that the owner, the subject of that certificate, call whoever it was issued to, call the CA and tell them something is wrong and they revoke certificate, you shouldn’t be using it.
And what you’re going to happen is you’re going to get if I go back to bad SSL, you’re going to get a certificate where it’s going to say it is revoked. So it’ll tell you that, hey, the certificate is revoked and you should not be using it. Now what happens when the certificate gets revoked and how does your browser find out that it was revoked? Well, there’s two ways of doing this. We’re going to use something called the CRL Certificate revocation list. Or you’re going to use something called OCSP, which stands for the Online Certificate Status Protocol. This is what’s going to be used in order to determine if a certificate is still valid. And your computer keeps checking this. So let’s go back here to my browser and I actually want to show you the certificate revocation list. So if I’m going to take you look at the Google certificate on here.
We’re going to go to details on this certificate and you notice you have certificate CRL Certificate revocation list distribution points. I’m going to copy this. I’m going to show you guys something. This is a manual list. By the way, if I know how to use a mouse to help me, I’m going to copy this. I’m going to go right here. I’m just going to paste it and that’s going to download something. So I want you to watch the bottom here. Okay? So it just downloaded this thing. And when I open it, this is a revocation list. This revocation list is a list of all certificates that Google that this CA has revoked. And it’s a big list. I’m going to hold this, all right? So it’s not as big digit. Cert is actually a whole lot bigger, I guess, because it’s not going to be that big. Because see, Google doesn’t issue out a lot of certificates. It only issues out basically to itself.
Here are some certificates that was revoked. Here’s one that was revoked just Sunday. Today is Monday. Today is Tuesday. Here’s some certificate that it was revoked. Now sometimes it may give you a reason, sometimes it may not. This one is saying the affiliation has changed. If I go to some place like Amazon and I take a look at the revocation list, this one I’m pretty sure is going to be really big because this comes from DigiCert, who issues out a lot of certificate. This one has two distribution points. We’ll use the first one. So if I go here, here’s my Revocation list. And yeah, this one, it’s not even moving. I’m just holding the mouse down. It’s not even moving. So this one here, Revocation Day Tuesday. It’s a few hours ago, 12:00. And this one superseded the certificate. Sometimes they give you the reason, but you don’t know what these certificates are.
All you got is serial number. So when your browser gets a certificate, what it does is that it will basically check it to make sure that it is valid. Okay, so this is how it would check. Now the other term I want you guys to know, so that’s the certificate CRL. But the other term I want you guys to know is something called the OCSP stands for the Online Certificate Status Protocol. Now, what that is, this is a more of an automated thing. Imagine having to download the list and the list is not updated right away. For more of a real time validation, use the Online Certificate Status Protocol. That is a more quicker way in order to get your certificate to validate your certificate, if it’s still good or has it been revoked. Okay, so the online certificate status protocol is the automated way.
Most, if not all browsers today uses this. I know Google Chrome has their own proprietary way of doing this, but every other browser basically uses this in order to validate your certificate. Okay, last topic I wanted to mention in this video was going to be the topic of I’ve been talking about certificate, getting certificate. You can get certificate from public CAS such as DigiCert, Komodo, GoDaddy, or big private CAS. I have in here say if I go cheap, I’m just putting that in there. Cheap SSL. I got a certificate from cheap SSL. You can get certificates from lots of different places, and you can get good certificates. Here’s one for $3. 44, right? So you can get certificates from here. But the big player in the game when it comes to SSL certificates is basically Digassert. So Digisert, which bought with God, which took it over from Semantics, which took it over from Verizon.
Now these are going to be certificates that are highly trusted that you can install in your organization. The other term that you may see appear on your exemption, they call it self signed cert self signed certificates or certificate that you create yourself on your computer to use maybe for generally internal environment. I mean, you could use them in the public, but people are going to get the trust there that it’s not trusted. And you’re going to always have to keep clicking, add them to actually use it. I’m going to generate one right now. Watch this. I’m going to go here to my Windows server. All right, I have one here. Now let me remove this. I’ll show you guys how to do it. So here I am, back at my IIS web server. And if I want to make this create a cell phone certificate, I will just click this button.
We’ll call this one Web Server for web hosting. And that’s it. That’s it. Certificate done. See, look, I have a certificate. I don’t need to go anywhere. I just have a certificate like that. The problem with this is that, yes, it allowed me to create an SSL session, but it’s not trusted. It issued to me, by me. And you notice how they gave me a one year on that. I didn’t get to specify that the web server just did it. So this is my own certificate. So the memorized health sign certificate is a certificate that is issued to you by you, and it’s not trusted. Okay? In this video, we talked a lot. We got a lot of terms covered. I would recommend to watch this video again, make some notes as you’re doing it. That way you understand some of the terms. That way, in case it shows up on the exam, you’ll be able to answer it. You’ll be able to answer it.
Popular posts
Recent Posts