Understanding the Role of Certificate Authorities in PKI
Public Key Infrastructures are not universal.
Join the DZone community and get the full member experience.Join For Free
Understanding Public Key Infrastructure (PKI)
As the name suggests, a Public Key Infrastructure is an infrastructure that uses digital certificates as an authentication mechanism and is designed to manage those certificates and their associated keys.
Public Key Encryption is also known as asymmetric encryption, and it’s very popular because it is more secure than secret key encryption (also known as symmetric) encryption. In Public Key Encryption, two related keys, one public and one private, work together to with one used for encryption and the other used for decrypting. In this model, the public key — as the name would suggest — is publicly available to anyone who wants to begin encrypted communication with the holder of the private key. The private key is never shared.
Components of PKI
Public Key Infrastructures are not universal — it’s not as if there’s a single PKI that governs all digital certificates. Rather, a PKI can be built for a single organization and implemented only on that organization’s network or it can be a much larger commercial PKI that governs certificates issued to internet users.
Regardless, all PKIs feature the following four components:
- A Certification Authority to issue certificates – A trusted CA is the only entity that can issue trusted digital certificates. This is extremely important because while PKI manages more of the encryption side of these certificates, authentication is vital to understanding which entities own what keys. Without a trusted CA, anyone can issue their own keys, authentication goes out the window and chaos ensues.
- Policies that govern the PKI – Bear in mind that PKI is largely about governance and management of digital CA certificates. In order to achieve both, a set of rules or guidelines must be in place to ensure things go smoothly. For smaller PKIs, these guidelines or often determined in-house by an IT admin or someone knowledgeable. For larger commercial PKIs, they’re determined by a collective of browsers and certificate authorities called the CA/B Forum.
- The Digital Certificates themselves – It’s kind of tough manage a group of digital certificates that don’t exist. In order for a PKI to work and exist properly, it needs to have digital certificates, otherwise—what’s the point?
- Apps that are written to use the PKI – This last one may seem abstract, it’s really not. This just means any application that is PKI aware and uses the PKI to facilitate an encrypted connection. Take some of the larger commercial PKIs, this would mean web browser, email clients, etc…
What Are Certificate Authorities? Why Are Certificate Authorities a Vital Part of PKI?
As we’ve already established, a PKI is a complex system for governing and managing digital certificates. It helps to facilitate encryption while also verifying the owners of the public keys themselves.
This last portion is why the Certificate Authorities are so important. If you remove the CAs from PKI you essentially have a large, unverified group of digital CA certificates, many of which are likely viable but some of which could also be used maliciously given that there’s no way to verify ownership of them. For a layman, this means that someone could essentially misrepresent ownership of a given key and then steal encrypted data—or manipulate it.
We can’t have that. So, as a result, the Certificate Authorities are in place to help with authentication. Authentication simply means you’re proving ownership over a given certificate, and by extension that certificate’s key. The CAs are trusted for a reason, they have invested heavily in their own infrastructure and have robust operations in place that are capable of verifying identities and issuing digital certificates properly. They follow guidelines handed down by the browser community and maintain best practices aimed at ensuring optimal web security.
Basically, they’re trusted for a reason. And because of that trust, we can also trust the certificates they issue, which makes management of those certificates via PKI that much easier.
How Does a Certificate Authority Work? The Role of CA
Well, in order to be a trusted Certificate Authority, you must first have made a multi-million dollar annual investment in the infrastructure that it takes to be an active CA. So, there’s already an upfront cost just for doing business. Beyond that, you have to follow guidelines set for by the CA/B forum that govern issuance and authentication practices.
Then, you have to start actually issuing certificates. We won’t drill all the way down into roots and intermediates, etc. We’ll just touch on the process of actually authenticating and issuing a digital CA certificate. After the certificate is ordered, depending on the level of validation required, the CA goes to work verifying the identity of the applicant.
If it’s simply a Domain Validation certificate, the CA just checks ownership over the domain, and then, once this is satisfied, issues the certificate. For Organization Validation and Extended Validation, also known as business validation, the Certificate Authority will use business registration and credit reports to vet the organization applying. This can take between 3-5 days and is typically a fairly extensive process. Once it is complete, the certificate can then be issued and will contain critical details about the business itself.
All of this is essential, especially for a PKI, as it allows the true owner of the keys being managed to be verified and makes the entire endeavor safer and more reliable.
Published at DZone with permission of Jake Adley. See the original article here.
Opinions expressed by DZone contributors are their own.