NetworkTools
Sign In
1ACLs2Zone Firewalls3IPsec4SSL VPN5802.1X6IDS/IPS7PKI
← Back to Network Security

Learning Objectives

  • Understand the components of a Public Key Infrastructure
  • Describe the certificate lifecycle
  • Differentiate Certificate Authorities and Registration Authorities
  • Understand how certificates establish trust

What is PKI?

A Public Key Infrastructure (PKI) is the system of policies, hardware, software, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. PKI binds public keys to identities — asserting that the public key in a certificate genuinely belongs to the entity named in that certificate.

Without PKI, anyone could claim to be your bank's website. PKI provides the chain of trust that lets your browser verify that the certificate presented by bank.com was issued by a trusted Certificate Authority (CA).

Components of PKI

A Certificate Authority (CA) is the trusted entity that issues and signs certificates. A Registration Authority (RA) handles identity verification before the CA issues a certificate — it offloads the verification workload from the CA. A Certificate Revocation List (CRL) or OCSP responder provides real-time certificate status checks. The end entity is the person, server, or device that holds the certificate.

Certificate Lifecycle

Every certificate goes through a defined lifecycle from creation to eventual removal.

Arrange the stages of a certificate's lifecycle in the correct order.

1.☰Certificate validation by peers
2.☰Certificate installation and deployment
3.☰Renewal or revocation
4.☰Certificate Signing Request (CSR) generation
5.☰Identity verification by RA
6.☰Certificate issuance and signing by CA
Hints
  • The certificate does not exist yet at the first step.
  • A trusted third party must verify the identity before issuing.
  • The final step is about ending the certificate's validity period.
Attempts: 0 | Successful: 0

How Trust is Established

Trust in PKI is hierarchical. Your browser and operating system ship with a set of root CA certificates that are inherently trusted. When you visit a website, the server presents a certificate signed by an intermediate CA, which itself is signed by a root CA. This is called the chain of trust.

If any link in the chain is broken — if the intermediate CA is untrusted, or if the certificate is expired, or if it has been revoked — the browser displays a security warning. The chain is only as strong as its weakest link.

Certificate Revocation

Certificates must be revoked before expiration if the private key is compromised, the entity leaves the organization, or the certificate was issued in error. CRLs are lists of revoked certificates published periodically by the CA. OCSP provides real-time status checks — it answers "is this certificate still valid right now?" OCSP stapling improves performance by having the server attach a timestamped OCSP response to the TLS handshake.

What is the primary role of a Certificate Authority?

What protocol provides real-time certificate status?

Key Takeaways

  • PKI binds public keys to identities through digital certificates
  • The CA issues certificates; the RA verifies identities
  • The certificate lifecycle: CSR → verification → issuance → deployment → validation → renewal/revocation
  • Trust is hierarchical through a chain from root CA to leaf certificate
  • CRLs and OCSP provide revocation status — OCSP offers real-time checks
  • OCSP stapling improves performance by embedding status in the TLS handshake
PreviousIDS/IPS