Public Key Infrastructure

PKI system: A system that defines the creation, storage and distribution of digital certificates

  • A digital certificate is a file that proves ​that an entity owns a certain public key. ​
  • A certificate contains information about the public key, ​the entity it belongs to, ​and a digital signature from ​another party that has verified this information
  •  ​If the signature is valid and we ​trust the entity that signed the certificate, ​then we can trust the public key to be used ​to securely communicate with the entity that owns it.

CA (Certificate authority): It’s the entity that’s responsible for storing, issuing, and signing certificates. It’s a crucial component of the PKI system

RA (Registration Authority): It is responsible for verifying the identities of any entities requesting certificates to be signed and stored with the CA

A central repository is needed ​to securely store and index keys, ​and a certificate management system of some sort, ​makes managing access to ​storage certificates and issuance of certificates easier

SSL/TLS Client Certificate: Certificates that are bound to clients and are used to authenticate the client to the server, allowing access control to a SSL/TLS service

  • As the name implies, these ​are certificates that are bound to ​clients and are used to ​authenticate the client to the server, ​allowing access control to an SSL/TLS service

SSL/TLS Server Certificate: A certificate that a web server presents to a client as part of the initial secure setup of an SSL, TLS connection

Self-signed certificate: This certificate has been signed by the same entity that issued the certificate

  • This would basically be signing ​your own public key using your private key.

Root certificate authority: They are self signed because they are the start of the chain of trust, so there’s no higher authority that can sign on their behalf

  • Intermediary (subordinate) CA: It means that the entity that this certificate was issued to can now sign other certificates
  • End-entity (leaf certificate): A certificate that has no authority as a CA