Refers to a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public key encryption

PKI components

• Certification Authority (CA)

  • Responsible for issuing certificates
    

• Registration Authority (RA)

  • Responsible for verifying the actual identity of the individual requesting a certificate

  • The type of validation depends on the type of certificate being requested
    

• Certification Revocation List (CRL)

  • A signed document that contains information about which certificates have been revoked

  • It contains the serial number of the revoked certificate, the time of revocation and the reason for revocation, for each certificate in the list

  • the CRL is signed by the CA and then released at a CRL Distribution Point (CDP)

    

• Online Certificate Status Protocol (OCSP)

• Certification Repository and Revocation Information

  • Holds the information about which certificates are still valid

• Revocation

  • After a CA certifies a key, there may be circumstances in which we may want to invalidate a certificate
    

• etc.

Public Key Infrastructure (PKI) models and structures

Simple Certification

• Having one CA that gives out certificates

Multi-Layer Certification

• Having a Root CA that delegates trust to other CAs, who then issue certificates for others

Cross Certification

• Trusting one CA automatically leads to trusting the other

Chain of Trust Certification Structure

• The entity receives a certificate, then goes up the chain all the way up to the Root CA to check who issued that certificate

Multiple Cross Certification

• Multiple CAs can mutually cross-certify each other

Bridge Cross Certification

• One CA acts as a bridge that certifies all the other CAs, and all of the other CAs certify that one bridge