UNIT 4

PUBLIC KEY
INFRASTRUCTURE
Topics to cover
4.1 Public key infrastructures: basics, digital
certificates, certificate authorities, registration
authorities

4.2 Steps for obtaining a digital certificate

4.3 Trust and certificate verification

 PKI BASICS 3

• Public key infrastructure or PKI is the governing body behind issuing digital certificates.
It helps to protect confidential data and gives unique identities to users and systems. Thus,
it ensures security in communications.
• The public key infrastructure uses a pair of keys: the public key and the private key to
achieve security. The public keys are prone to attacks and thus an intact infrastructure is
needed to maintain them.

• Managing Keys in the Cryptosystem:

• The security of a cryptosystem relies on its keys. Thus, it is important that we have a solid
key management system in place.

• Keeping the private key secret: Only the owner of a private key is authorized to use a
private key. It should thus remain out of reach of any other person.

• Assuring the public key: Public keys are in the open domain and can be publicly
accessed. When this extent of public accessibility, it becomes hard to know if a key is
correct and what it will be used for. The purpose of a public key must be explicitly
defined.

• PKI or public key infrastructure aims at achieving the assurance of public key.
DIGITAL CERTIFICATES 4

• Digital certificates are issued to people and electronic systems to uniquely

identify them in the digital world.

• A digital certificate is an electronic data structure that binds an entity, being

an institution, a person, a computer program, a web address etc., to its
public key.

• Digital certificates are used for secure communication, using public key
cryptography, and digital signatures. The purpose of a PKI is to make sure
that the certificate can be trusted.

• A digital certificate is an electronic signature from one or more trusted third

parties that guarantees the validity and authenticity of a public key.

• There are two trust models used in practice: "Web of Trust" and central
"Certification Authority" based.
CERTIFICATE AUTHORITIES ( CA )

A CA issues and verifies certificates. This authority makes sure that the information in a
certificate is real and correct and it also digitally signs the certificate.

a PKI is an arrangement that binds public keys with respective identities of entities (like
people and organizations). The binding is established through a process of registration
and issuance of certificates at and by a certificate authority (CA).

As an integral part of PKI, a CA plays multiple crucial roles:

1. issues digital certificates
2. helps establish trust between communicating entities over the internet
3. verifies domain names and organizations to validate their identities and.
4. maintains certificate revocation lists. In case of suspicious behavior of a client or loss
of trust in them, the CA has the power to revoke the digital certificate.
 6

REGISTRATION AUTHORITIES ( RA )

A Registration Authority (RA) is a function for certificate enrollment used

in public key infrastructures.
It is responsible for receiving certificate signing requests – for the initial
enrollment or renewals – from people, servers, things or other applications. The
Registration Authority verifies and forwards these requests to a Certificate
Authority (CA).

A Registration Authority is usually separated from the Certificate Authority for

accessibility and security reasons. The RA is accessed via a user-friendly GUI or
via integration friendly APIs and standard protocols.
Authorizes creation of a certificate and provides validated user information to the
CA.

Services of Registration Authority:

•Accepting and verifying the details of new user’s registration.
•User key generation.
•Backups and recovery of key.
•Certificate cancellation.
OBTAINING DIGITAL CERTIFICATES 7

• Digital Certificate source - 3rd-party CA or Self-Signed

• A digital certificate must be issued from a Certificate Authority

(CA), either a 3rd-party commercial CA (such as, Verisign,
Thawte, Godaddy, Rapid SSL, and others), or can be created by
yourself

• https://support.microsoft.com/en-au/office/obtain-a-digital-certif
icate-and-create-a-digital-signature-e3d9d813-3305-]4164-a820-
2e063d86e512
OBTAINING DIGITAL CERTIFICATES 8

1. Identify the Purpose:

Determine the purpose for which you need the digital certificate. (SSL/TLS certificates), code signing,
email encryption, and more.

2. Choose a Certificate Authority (CA):

If you need a publicly trusted certificate, choose a reputable CA. Common public CAs include Let's
Encrypt, DigiCert, Comodo, and others

3. Generate a Certificate Signing Request (CSR):

If you're obtaining a certificate from a CA, you typically need to generate a CSR. This is a file
containing information about the entity requesting the certificate

4. Submit CSR to the CA:

If you're using a public CA, submit the CSR to them through their web interface or another specified
method. Follow the CA's instructions for the submission process.

5. CA Verification:
The CA will verify the information in the CSR

6. Certificate Issuance:
You'll usually receive the certificate file, which may have extensions like .crt or .pem.

7. Install the Certificate:

Install the obtained certificate
TRUST AND VERIFICATION OF CERTIFICATE
In creating certificates, CAs act as agents of trust in a PKI. As long as users trust a CA and
its business policies for issuing and managing certificates, they can trust certificates issued
by the CA. This is known as third-party trust.
The trust in a certificate is established by verifying the digital signature of the issuing CA
up to the root CA.
To verify a certificate, the relying party (the entity relying on the certificate) performs the
following steps:
1. Extract Public Key: Obtain the public key from the digital certificate.
2. Obtain CA Public Key: Obtain the public key of the CA that issued the certificate.
3. Verify Digital Signature: Use the CA's public key to decrypt the digital signature in
the certificate and obtain the hash of the certificate data.
4. Hash Certificate Data: Hash the certificate data (excluding the signature) using the
same hash algorithm used by the CA.
5. Compare Hashes: Compare the hash obtained from the decrypted signature with
the hash obtained from the certificate data.
 SUMMARY
10

• In summary, PKI is a comprehensive system for managing digital

certificates and facilitating secure communication.

• Digital certificates are electronic credentials that bind the identity

of an entity (person, device, or service) to a public key.

• It involves the issuance of certificates by trusted CAs after

identity verification, and the entire infrastructure relies on public
key cryptography to establish trust.

• The RA assists in the identity verification process, contributing to

the overall security and reliability of PKI.

• Use cases : SSL, Email signing, code signing, etc.

VERIFICATION OF CERTIFICATE
OpenSSL for verification
View Certificate Information:
First, you can view the information in the certificate to understand its contents.
openssl x509 -in certificate.pem -text -noout
Replace certificate.pem with the path to your certificate file.

Verify Certificate Signature:

Verify the signature of the certificate using the public key of the issuing CA.
openssl verify -CAfile ca-cert.pem certificate.pem
Replace ca-cert.pem with the path to the CA certificate file, and certificate.pem with
the path to your certificate file.

This command checks the signature of the certificate against the public key of the
CA. If the verification is successful, you'll see a message indicating that the
certificate is OK.