Certificates and Certification Authorities
Questions and answers latest update
What is a digital certificate? Why do we need it?
A signed statement from a Certificate Authority that links a public key to a given subject. We need it
to know that a public key is in fact linked to the person we think it is.
what is the usual content of a digital certificate?
Serial number, subject, issuer, time validity, certificate policies, availability of revocation information,
key usage, Public key of subject, CA's signature (private key), key identifiers, identifiers of algorithms
used
for qualified certificates: QCStatement, transaction limit
What key usage types do you know?
Digital Signature (security services other than non-repudiation, certificate signing, or CRL signing),
Non-Repudiation (verify digital signatures used to provide a non-repudiation service),
Key Encipherment (encrypts the key (usually private) with another key (usually public)),
Data Encipherment (encrypt user data other than key),
Key agreement (when the sender and receiver of the public key need to derive the key without using
encryption),
Key Certification Signing (public key used to verify signature on certificate),
CRL signing (when the subject public key is to verify a signature on revocation information),
Encipher Only (public key can encipher data and confirm key agreement),
Decipher Only (public key can decipher data and confirm key agreement)
What types of certificates do you know?
Webserver (TLS/SSL): Domain validated, Organization validated, extended validation
What are the main tasks of a Certificate Authority?
The organization that certifies that a given public key belongs to a given subject, "trusted third party"
How are key pairs generated in a PKI?
By the subject (public key sent to CA), by the CA (private key sent to subject)
Where are the private keys stored? (CA, end-user)
CA doesn't store private keys; End-user can store on computer, on a hardware token, on a hardware
security model, or in the cloud
Why do we need certificate revocation? What approaches do you know for it?
Ensure an attacker cannot use an obtained private key to sign documents or decrypt messages on the
user's behalf.
A certificate can expire (outside of valid time frame) or be revoked (permanent) or suspended
(reversible). The CA changes the status of the certificate in it's own database
What is a Certification Path?
The path through different CA's that allows the user to check whether a certificate is valid
What makes a CA root?
Questions and answers latest update
What is a digital certificate? Why do we need it?
A signed statement from a Certificate Authority that links a public key to a given subject. We need it
to know that a public key is in fact linked to the person we think it is.
what is the usual content of a digital certificate?
Serial number, subject, issuer, time validity, certificate policies, availability of revocation information,
key usage, Public key of subject, CA's signature (private key), key identifiers, identifiers of algorithms
used
for qualified certificates: QCStatement, transaction limit
What key usage types do you know?
Digital Signature (security services other than non-repudiation, certificate signing, or CRL signing),
Non-Repudiation (verify digital signatures used to provide a non-repudiation service),
Key Encipherment (encrypts the key (usually private) with another key (usually public)),
Data Encipherment (encrypt user data other than key),
Key agreement (when the sender and receiver of the public key need to derive the key without using
encryption),
Key Certification Signing (public key used to verify signature on certificate),
CRL signing (when the subject public key is to verify a signature on revocation information),
Encipher Only (public key can encipher data and confirm key agreement),
Decipher Only (public key can decipher data and confirm key agreement)
What types of certificates do you know?
Webserver (TLS/SSL): Domain validated, Organization validated, extended validation
What are the main tasks of a Certificate Authority?
The organization that certifies that a given public key belongs to a given subject, "trusted third party"
How are key pairs generated in a PKI?
By the subject (public key sent to CA), by the CA (private key sent to subject)
Where are the private keys stored? (CA, end-user)
CA doesn't store private keys; End-user can store on computer, on a hardware token, on a hardware
security model, or in the cloud
Why do we need certificate revocation? What approaches do you know for it?
Ensure an attacker cannot use an obtained private key to sign documents or decrypt messages on the
user's behalf.
A certificate can expire (outside of valid time frame) or be revoked (permanent) or suspended
(reversible). The CA changes the status of the certificate in it's own database
What is a Certification Path?
The path through different CA's that allows the user to check whether a certificate is valid
What makes a CA root?
