Wednesday, July 25, 2012

Certificate, Certificate Revocation List, and Certificate Authority

If you're preparing for the Security+ SY0-301 exam, you should have a basic understanding of a certificate, a certificate revocation list (CRL) and a certificate authority (CA). A reader recently sent me a query on these. I answered him directly but expanded my answer here to provide a little more detail.

Certificate

A certificate is a digital document that includes a public key and information on the owner of the certificate. As an example, this is a certificate for a user named Darril Gibson at GetCertifiedGetAhead.
Darril Gibson certificate
In the figure, the public key is selected so you can see that the public key is embedded within the certificate. The public key is used with a matching private key for asymmetric encryption. Entities (such as users or servers) share their public key by giving out copies of their certificate. The serial number is also included and uniquely identifies the certificate.
If you want to read more about how asymmetric encryption works, check out this article. It shows how asymmetric encryption is used to privately share a symmetric key in HTTPS with SSL and TLS: Understanding the HTTPS Process for Security+. Another article that ties in multiple cryptography topics for the exam is Security+ Cryptography topics.
If you're running Windows 7, you can use these steps to view a certificate:
  1. Click Start, and enter MMC in the Search Programs and Files text box.
  2. Press Enter to open a blank Microsoft Management Console (MMC). If you're prompted by UAC, click Yes.
  3. Select File, Add/Remove Snap-in.
  4. Select Certificates and click Add.
  5. Ensure My User Account is selected and click Finish. Click OK.
  6. Expand Certificates - Current User. Expand Personal and click Certificates. If you have any certificates issued to you, you'll see them here. If you don't have any, you can encrypt a file using NTFSs Encrypting File System (EFS) and an EFS certificate will be created for you.
  7. Expand Trusted Root Certification Authorities and select Certificates.
  8. Double-click any certificate to open it. Click the Details tab and you'll see something similar to the previous figure.

Learn by listening
Key points from the CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide
Over one hour and 20 minutes of audio from the "Remember This" blocks
Over three hours and 20 minutes of questions and answers on audio

Certificate Purposes

Certificates have multiple purposes including encryption, authentication, digital signatures, email encryption, code signing, and more. The following figure shows the properties of certificate. This certificate is enabled for all purposes but many times, you'll have a certificate for only specific purposes. If you followed the previous steps, you can click the Edit Properties button to view the properties of that certificate.
Certificate Properties

Certificate Authority

A certificate authority or certification authority (CA) issues, manages, validates, and revokes certificates. The process of issuing a certificate is very specific and requires authentication before the certificate is issued. CAs can be public or private (external to a company or only used internally). For example, Verisign is a large public CA. It issues certificates to entities for authentication and encryption on the Internet.
A Trusted Root Certification Authorities store includes the root certificates from many different public CAs. Any certificates issued by a CA with a certificate in the Trusted Root Certification Authorities store are automatically trusted.
If you go to a web site that is using a certificate issued by a certifiation authority named Gibson's Cheap Certificates (which doesn't have a certificate in the Trusted Root Certification Authorities store), the web browser will give a warning saying this certificate is not trusted.

Security+ practice test questions for your mobile phone or other mobile device.
and
Network+ practice test questions for your mobile phone or other mobile device

Certification Revocation List

When an entity receives a certificate from somewhere else, it checks with the CA to verify the certificate is valid. For example, when your web browser receives a certificate from a web site, it checks with the CA to verify the certificate is valid. One way this is done is with a certificate revocation list (CRL).
A CRL is a certificate that includes a list of serial numbers of all the certificates that have been revoked. When an entity receives a copy of the CRL, it checks the serial number of its certificate against the CRL. If the serial number is on the CRL, it should not be used.

A Security+ Practice Test Question

This brings me to the query by the reader. He came across a practice test question similar to this:
An administrator has just been fired for making an unauthorized change to the network after being warned not to do so. Of the following choices, what would you update to block this administrator's access?
A. TLS
B. CA
C. PKI
D. CRL
Do you know the answer? Ideally, you should be able to look at any question and know why the correct answer is correct and why the incorrect answers are incorrect. When studying for a certification exam, ensure that your source includes full explanations if you want to fully understand the concepts.
Answer below.

Pass the Security+ SY0-301 exam the first time you take it
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

Security+ Resources

Other resources available to help you take and pass the Security+ exam the first time you take it include:

Answer

D is correct. It is the only one that can be updated. Employees can be issued certificates from a private certification authority for authentication (such as with a smart card) and when the employee leaves the smart card should not be used anymore. By revoking the certificate, it ensures the smart card cannot be used. In other words, the serial number of the employee's certificate is added to the certification revocation list (CRL) and if anyone tries to use this certificate to authenticate, the CRL will verify the certificate has been revoked.
A is incorrect. Transport Layer Security (TLS) is an encryption protocol used to encrypt traffic such as HTTP. You cannot update TLS.
B is incorrect. The certificate authority (CA) is the entity that issues and manages certificates. In a sense you are updating the CA when you are updating the CRL but this is not the best answer.
C is incorrect. Public Key Infrastructure (PKI) refers to all the technologies used to request, create, manage, store, distribute, and revoke digital certificates. The infrastructure is not updated.

Summary

A certificate is used for many purposes including authentication and encryption. A certificate authority manages certificates through their lifetime and when a certificate should no longer be used, it is revoked. CAs publish a certificate revocation list which lists the serial numbers of all revoked certificates.