Public Key Infrastructure – CompTIA Security+ SY0-401: 6.3

If you have a large number of devices using a public key infrastructure, you’ll need a way to manage all of the keys in the infrastructure. In this video, you’ll learn about public key infrastructures and the key management lifecycle.

<< Previous Video: Digital CertificatesNext: Key Recovery >>

This entire section of the Security Plus exam is on Public Key Infrastructure, but what is a PKI? What is this really consist of? A Public Key Infrastructure is not just one single thing. It’s a mixture of a lot of things all working together– it’s policies, it’s procedures, it’s hardware and software, and people– all put together to create a standard way to distribute these certificates– to manage them, to create them, to store them, revoke them.

If you’re getting into doing anything related to public-key cryptography and you’re creating a Public Key Infrastructure, then you’re going to be creating something that’s pretty big. And it’s pretty important and you want to plan it out from the very beginning, and set all of these processes in place so they can be as successful as possible. This PKI is going to be responsible for building these certificates and then binding them to people, or binding them to resources. This is the Certificate Authority that’s doing this and there is an entire section of what we’ll talk about based on the trusts that are created between that Certificate Authority and the people that are using these certificates.

In a Public Key Infrastructure there is an entire life cycle that revolves around the keys. Obviously where we start with is creating the key to begin with. We are creating a key with a particular cipher, with a particular key strength, or key size. It’s one that is very specific and we’ll have to make decisions at the very beginning when we first create this key of exactly all of those technical details associated with the key generation process.

Then we’ll create a certificate. We will allocate that key to a person. We’ll bind those together and create that X.509 certificate that includes the key and all of those other things that we mentioned in our previous video. Then we distribute those keys to the end user and those certificates out to our certificate servers. We need to make sure that process is available to our users and that it is as secure as possible.

This key management lifestyle also includes then storing this information. We’re creating a lot of different certificates. We’re building out a lot of different keys. Some of these are extremely valuable, extremely private keys. We want to make sure they cannot be used for unauthorized use and so there is a very important storage mechanism we have to have in place for that. Ultimately there may be a need to revoke these keys.

Keys might be compromised– part of the business might shut down, people may leave the organization– or they just maybe a certain amount of time to that key is valid. And so at the end of that time frame, or for one of those other reasons, we need to have a process in place that is able to properly revoke those keys and make everyone realize and understand that we have revoked them. Perhaps have some key revocation lists or other mechanisms in place so that people understand which keys have been revoked and which ones have not. And finally, an expiration.

Keys may only have a certain shelf life. You may have created them to only be valid for 3 months, or 6 months, or 1 year. And at that time the key is no longer valid and you will have to create new keys. You’ll see that happen all the time. And that’s one of the things about this management life style is then it goes all the way back to the top again where we create new keys because those have expired and we are able to perform the entire process over again. As long as you’re thinking about your Public Key Infrastructure, and building out your processes and your procedures to take into account every single step along the way of this life cycle you should have a very, very successful PKI.