Understanding the Role of Certificate Authorities in PKI
You may have heard the acronym “PKI,” but chances are you’re not especially sure what it means. You’re not alone. While many the concept of a Public Key Infrastructure is commonly discussed in the IT world, it’s not always well understood.
As the name suggests a Public Key Infrastructure is an infrastructure that uses digital certificates as an authentication mechanism and is designed to manage those certificates and their associated keys.
Public Key Encryption is also known as asymmetric encryption, and it’s very popular because it is more secure than secret key encryption (also known as symmetric) encryption. In Public Key Encryption, two related keys, one public and one private, work together to with one used for encryption and the other used for decrypting. In this model, the public key — as the name would suggest — is publicly available to anyone who wants to begin encrypted communication with the holder of the private key. The private key is never shared.
The problem that PKI solves stems from the difficulty of verifying that a public key is actually owned by the person or entity that claims it. Hence the use of digital certificates and PKI. In this scenario a trusted third-party certificate authority validates the identity of the person or organization it is issuing the key pair to. From there, via the use of the accompanying digital certificate that is issued, anyone can verify the identity of the key-holder.
A digital certificate contains information about the key-holder, the public key, an expiration date and the signature of the Certificate Authority that issued it. Unfortunately, managing digital certificates can be a challenge, so Public Key Infrastructure was created to help provide a framework for issuance, renewal and revocation of these digital certificates.
Components of PKI
Public Key Infrastructures are not universal — it’s not as if there’s a single PKI that governs all digital certificates. Rather, a PKI can be built for a single organization and implemented only on that organization’s network or it can be a much larger commercial PKI that governs certificates issued to internet users.
Regardless, all PKIs feature the following four components:
- A Certification Authority to issue certificates — A trusted CA is the only entity that can issue trusted digital certificates. This is extremely important because while PKI manages more of the encryption side of these certificates, authentication is vital to understanding which entities own what keys. Without a trusted CA, anyone can issue their own keys, authentication goes out the window and chaos ensues.
- Policies that govern the PKI — Bear in mind that PKI is largely about governance and management of digital certificates. In order to achieve both, a set of rules or guidelines must be in place to ensure things go smoothly. For smaller PKIs, these guidelines or often determined in-house by an IT admin or someone knowledgeable. For larger commercial PKIs, they’re determined by a collective of browsers and certificate authorities called the CA/B Forum.
- The Digital Certificates themselves — It’s kind of tough manage a group of digital certificates that don’t exist. In order for a PKI to work and exist properly, it needs to have digital certificates, otherwise — what’s the point?
- Apps that are written to use the PKI — This last one may seem abstract, it’s really not. This just means any application that is PKI aware and uses the PKI to facilitate an encrypted connection. Take some of the larger commercial PKIs, this would mean web browser, email clients, etc…
Why Certificate Authorities are a Vital Part of PKI
As we’ve already established, a PKI is a complex system for governing and managing digital certificates. It helps to facilitate encryption while also verifying the owners of the public keys themselves.
This last portion is why the Certificate Authorities are so important. If you remove the CAs from PKI you essentially have a large, unverified group of digital certificates, many of which are likely viable but some of which could also be used maliciously given that there’s no way to verify ownership of them. For a layman, this means that someone could essentially misrepresent ownership of a given key and then steal encrypted data — or manipulate it.
We can’t have that. So as a result the Certificate Authorities are in place to help with authentication. Authentication simply means you’re proving ownership over a given certificate, and by extension that certificate’s key. The CAs are trusted for a reason, they have invested heavily in their own infrastructure and have robust operations in place that are capable of verifying identities and issuing digital certificates properly. They follow guidelines handed down by the browser community and maintain best practices aimed at ensuring optimal web security.
Basically, they’re trusted for a reason. And because of that trust, we can also trust the certificates they issue, which makes management of those certificates via PKI that much easier.
How Does a Certificate Authority Work?
Well in order to be a trusted Certificate Authority you must first have made a multi-million dollar annual investment in the infrastructure that it takes to be an active CA. So there’s already an upfront cost just for doing business. Beyond that you have to follow guidelines set for by the CA/B forum that govern issuance and authentication practices.
Then you have to start actually issuing certificates. We won’t drill all the way down into roots and intermediates, etc. We’ll just touch on the process of actually authenticating and issuing a digital certificate. After the certificate is ordered, depending on the level of validation required, the CA goes to work verifying the identity of the applicant.
If it’s simply a Domain Validation certificate, the CA just checks ownership over the domain and then, once this is satisfied, issues the certificate. For Organization Validation and Extended Validation, also known as business validation, the Certificate Authority will use business registration and credit reports to vet the organization applying. This can take between 3–5 days and is typically a fairly extensive process. Once it is complete, the certificate can then be issued and will contain critical details about the business itself.
All of this is essential, especially for a PKI, as it allows the true owner of the keys being managed to be verified and makes the entire endeavor safer and more reliable.
Certificate Authority and PKI
Originally published at cheapsslsecurity.com on July 6, 2016.