The Network Device Enrollment Service (NDES) allows software on routers and other network devices to obtain digital certificates without running any domain credentials. NDES is also one of the role services on Active Directory Certificate Services (AD CS) role. NDES implements the Simple Certificate Enrollment Protocol (SCEP), which defines the communication between the Registration Authority (RA) and network devices for certificate enrollment.

“The goal of SCEP is to support the secure issuance of certificates to network devices in a scalable manner, using existing technology whenever possible.”

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Object Identifier (OID)

Object Identifiers (OIDs) are like the Internet domain name space, organizations that need such an identifier may have a root OID assigned to them. They can thus create their own sub OIDs much like they can create subdomains. A large and standardized set of OIDs already exists.

An OID corresponds to a node in the “OID tree” or hierarchy, which is formally defined using the ITU’s OID standard, X.660. The root of the tree contains the following three arcs:

  1. ITU-T
  2. ISO
  3. joint-iso-itu-t

Table of Contents

What is an Object Identifier (OID)?

An OID, or Object Identifier, can be applied to each CPS (Certificate Practice statement). The OID is an identifier that is tied to the CPS or, if multiple policies are defined, to each CA’s certificate policy.

Object Identifiers are controlled by IANA and you need to register a Private Enterprise Number (PEN), or OID arc under 1.3.6.1.4.1 namespace. Here is the PEN registration page: https://pen.iana.org/pen/PenApplication.page

When acquired, your OID namespace will look as follows: 1.3.6.1.4.1.{PENnumber}. You can assign certificate policies under your private namespace, for example:

  • 1.3.6.1.4.1.{PENnumber}.1.1 – Smart Card issuance policy
  • 1.3.6.1.4.1.{PENnumber}.1.2 – Digital signature certificate issuance policy
  • 1.3.6.1.4.1.{PENnumber}.1.3 – Encryption certificate with key archival issuance policy

For general purpose CAs, you can use a universal Object Identifier with the value 2.5.29.32.0. This identifier means “All Issuance Policies” and is a sort of wildcard policy. Any policy will match this identifier during certificate chain validation.

Where do you get an OID?

An OID is a unique sequence of numbers that identifies a specific directory object or attribute. You can define an OID for a CPS as either a public or  private OID.

In case the organization plans to utilize PKI-enabled applications in conjunction with other organizations, the organization must get an OID from a public number-assignment company to certify that their OID will be unique on the Internet. Sources for public OIDs include:

  • The Internet Assigned Numbers Authority (IANA). This source issues free OIDs under the Private Enterprises arc. Every OID assigned by the IANA begins with the numbers 1.3.6.1.4.1 representing iso(1).org(3).dod(6).internet(1).private(4).enterprise(1).

Note: An arc is the term used to reference a specific path in the global OID tree maintained by the International Organization for Standardization (ISO) and the International Telecommunication Union. This global OID tree is sometimes referred to as the joint ISO/ITU-T tree. For example, the Private Enterprises arc contains all OIDs that begin with 1.3.6.1.4.1.

  • The American National Standards Institute (ANSI). This source issues OIDs for purchase under the U.S. Organizations arc of the ANSI OID tree. Every OID assigned by the ANSI begins with the numbers 2.16.840.1 rep representing joint-iso-itu-t(2). country(16).US(840).US company arc(1).

  • Other countries. Each country has its own OID-management organization. The easiest way to discover the organization for a given country is to perform a Google search (www.google.com) with the search phrase Country (where Country is the name of the given country) and “Object Identifier.” Here are some examples of the arcs available within the joint ISO/ITU-T tree:

    • Canada: joint-iso-itu-t(2).country(16).canada(124)
    • Netherlands: joint-iso-itu-t(2).country(16).netherlands(528)
    • Switzerland: joint-iso-itu-t(2).country(16).switzerland(756)
    • Thailand: joint-iso-itu-t(2).country(16).thailand(764)

You can also generate a private OID based on your forest’s globally unique identifier (GUID) within the Microsoft IANA-assigned tree. If you decide to use these OIDs, you will have an OID assigned from 1.3.6.1.4.1.311.21.8.a.b.c.d.e.1.402 (where a.b.c.d.e is a unique string of numbers based on your forest’s GUID).

Note: Use the private OID tree only if you do not foresee using the OIDs in conjunction with other organizations and your organization is unwilling to obtain a free OID from the IANA. If you plan on using PKI-enabled applications within other organizations, obtain a free OID tree from the IANA or buy a tree from the ANSI.

Tip: You can obtain your forest’s private OID by opening the Certificate Templates (certtmpl.msc) console as a member of the Enterprise Admins group. In the console tree, right-click Certificate Templates and click View Object Identifiers. In the resulting dialog box, you can choose the High Assurance Object Identifier and click the Copy Object Identifier button. Once you copy the OID, you can plug your forest’s values into the placeholders a.b.c.d.e, removing any trailing digits.

Certificate Policies Extension

The Certificate Policy extension, if present in an issuer certificate, expresses the policies that are followed by the CA, both in terms of how identities are validated before certificate issuance as well as how certificates are revoked and the operational practices that are used to ensure integrity of the CA. These policies can be expressed in two ways: as an OID, which is a unique number that refers to one given policy, and as a human-readable Certificate Practice Statement (CPS). One Certificate Policy extension can contain both the computer-sensible OID and a printable CPS. One special OID has been set aside for any policy, which states that the CA may issue certificates under a free-form policy.

IETF RFC 252717 gives a complete description of what should be present in a CA policy document and CPS. More details on the 2527 guidelines are given in the “PKI Policy Description” section.

As per RFC5280 §4.2.1.4, an entry in the Certificate Policies extension consist of a policy identifier (OID) at a minimum. Single Certificate Policies extension may contain multiple entries, an entry per policy. Policy identifier may be combined with one or more policy qualifiers. RFC5280 supports two policy qualifiers:

  1. CPS Pointer
  2. User Notice

CPS Pointer is a URL to a Certificate Practice Statement document that describes the policy under which the certificate in the subject was issued.

User Notice is a small piece of text (RFC recommends using no more than 200 characters) that describes policy.

Microsoft requires that Certificate Policies extension must consist of a policy identifier and one or more policy qualifiers. Preferred policy qualifier is a CPS pointer because User Notice is short and cannot provide enough information, while in CPS Pointer you can provide an URL to CPS document or web page. Another reason to use CPS Pointer is that when you open digital certificate in UI, there is a button called “Issuer Statement”.


Sign up for a Free PKI Health Check

Certificate GUI dialog looks for Certificate Policies extension in the certificate and activates the button when found. By pressing the button, you are redirected to a first CPS Pointer URL where you can read certificate issuer statement.

Did you think, why root CA certificate do not need to have a Certificate Policies extension? – Because an implicit Certificate Policies extension with wildcard “All Issuance Policies” is implied for self-signed certificates. And no custom policies shall be defined at root level. Certificate Policies extension must appear at 2nd level (Policy CA in a 3-tier hierarchy or Issuing CA when Policy and Issuing CA roles are combined in a 2-tier hierarchy).

For example, Certificate Policies appearance in a 3-tier hierarchy:

Root CA – no Certificate Policies extension

Policy CA – Certificate Policies extension with one or more policies

Issuing CA – Certificate Policies extension with one or more policies

Leaf certificate – Certificate Policies extension with one or more Policies

NOTE: In a 2-tier hierarchy, the path is shorter, but the same rules applies.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
  • Private and Public Keys: PKI uses these asymmetric keys to establish and secure an encrypted connection over the network using asymmetric encryption.
  • Public Key Certificates: These are issued by Certificate Authorities which prove the ownership of a public key. They state the authenticity of the keyholder.
  • Certificate Authority: Certificate Authorities, or CAs, are trusted entities which verify the organization and generate digital certificates which contain information about the organization, as well as the public key of that organization. The digital certificate is signed by the private key of the Certification Authority. This digital certificate can also serve as the identity of the organization and verify them as owners of the public key.
  • Certificate Repository: A location where all certificates are stored as well as their public keys, validity details, revocation lists, and root certificates. These locations are accessible through LDAP, FTP or web servers.
  • Automating PKI Operations: These help in issuing, revoking, and renewing certifications. They are done through certificate management software. A PKI is created for having robust security, and if these tasks aren’t automated, or if one invalid or revoked certificate is out there, bringing productivity or the network to a halt, then it may be catastrophic.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Path Length of Basic Constraints

PKI is helping us create secure networks. It uses asymmetric encryption to secure data-in-transit. A PKI also issues certificates, which help in verifying the identity of computers, routers, IOT devices, and other devices in the network. This decreases the chance of Man in the Middle attacks (MITM) and other spoofing attacks. It can also be used to create digital certificates which can further strengthen someone’s identity and establish trust.

If PKI was not used, it may be difficult for one computer to trust the other, and there arises the possibility of MITM attacks. Today’s internet has tons of devices including mobile phones, smartwatches, and IOT devices, where privacy and security of transferring data might be a concern. Payment systems also need a seamless encrypted network with both endpoints being trusted, which is created with ease with the help of a PKI.

PKI can be used in:

  • Establishing Secure Networks and encrypted connections
  • Code Signing
  • Browsing
  • Online shopping and the Payment Industry

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Public Key Infrastructure (PKI)

  • Introduction
  • PKI In Detail
  • Implementation of PKI

    Public Key Infrastructure (PKI) is a solution where, instead of using Email ID and Password for authentication, certificates are used. PKI also encrypts communication, using asymmetric encryption, which uses Public and Private Keys. PKI deals with managing the certificates and keys and creates a highly secure environment that can also be used by users, applications, and other devices. PKI uses X.509 certificates and Public Keys, where the key is used for end-to-end encrypted communication, so that both parties can trust each other and test their authenticity.

    PKI is mostly used in TLS/SSL to secure connections between the user and the server, while the user tests the server’s authenticity to make sure it’s not spoofed. SSL certificates can also be used to authenticate IoT devices.

    Why do we use PKI?

    PKI offers a way to identify people, devices, and apps, while providing robust encryption so that communication between both parties can remain private. Besides authentication and identification, PKI provides digital signatures and certificates to create unique credentials for the certificate holder and to validate the certificate holder.

    PKI is used all over the Internet in the form of TLS/SSL. When a client (in this case, a web browser) communicates with a server, the client gets ahold of the certificate and validates it to ensure its authenticity. Next, it employs asymmetric encryption to encrypt the traffic to and from the server. The digital certificate contains information such as the validity period of the certificate, issuer of the certificate, certificate holder, public key, signature algorithm, etc.

    PKI Certificate Details
    Certificate Information Of PKI

    It also contains a certification path. A certification path is an ordered list consisting of the issuer’s public key certificate and more, if applicable.

    Certification Path Of PKI

    A certification path must be validated before it can be relied upon to establish trust in a subject’s public key. Validation can consist of various checks on the certification path’s certificates, such as verifying the signatures and checking that each certificate has not been revoked. The PKIX standards define an algorithm for validating certification paths consisting of X.509 certificates.

    Certificate Stages - Root - Intermediate - End Entity

    Apart from being used as SSL over the internet, PKI is also used in digital signatures and sign software. PKI is also being used in smart devices, phones, tablets, game consoles, passports, mobile banking, etc. To overcome compliance challenges and follow all regulations and maintain security at its best, organizations are using PKI in more than a few ways to keep all things secure.

    PKI In Detail

    What are the encryptions used in PKI?

    PKI makes use of both symmetric and asymmetric encryption to keep all its assets secure.

    Asymmetric encryption or Public Key Cryptography uses two separate keys for encryption and decryption. One of them is known as a public key, and the other is a private key. The public key can be generated from the Private key, but the Private key cannot be generated from the Public key. The private key and vice versa can only decrypt encryption done by the public key. Together, these keys are called “Public and Private Key Pair”.

    Asymmetric Key Cryptography

    In SSL certificates used for encrypted communication between a client and a server, a public key is attached to the certificate, which will initiate a secure communication between two parties. Asymmetric encryption is a newer type and slower compared to symmetric encryption.

    Asymmetric encryption is used to exchange a secret key, which is done during the initial handshake between the two parties.

    The secret key exchanged is used to establish symmetric encryption for further communication. Symmetric encryption is faster than asymmetric one, so the combination of them both provides robust end-to-end security.

    Symmetric encryption, unlike Asymmetric encryption, uses only one key for both encryption and decryption. It is faster than asymmetric encryption, but if the key is compromised, anyone can decrypt the contents encrypted. Therefore, asymmetric encryption is used to ensure the secret key is not compromised, and the connection remains secure.


    Highly Secure and Reliable PKI for your Organization

    What are Digital Certificates? What is its role?

    Digital certificates are widely used in PKI. A digital certificate is a unique form of identification for a person, device, server, website, and other applications. Digital certificates are used for authentication as well as validating the authenticity of an entity. It also makes it possible for two machines to establish encrypted communication and trust each other without the fear of being spoofed. It also helps in verification, which allows in the Payment Industry, which allows e-commerce to grow and be trusted.

    The certificate can be of two types.

    1. Self-signed certificateUsers can create their certificates, which can be used for internal communication between two trusted parties.
    2. Signed by Certification AuthorityA Certification Authority issues a certificate which can be used for TLS/SSL on the website. Customers can validate the certificate from the third-party issuer, which would validate the server’s authenticity.

    Before a Certification Authority issues a certificate, the issuer makes sure that it is given to the right entity. Several checks are made, such as if they are the domain name holders, etc. The certificate is issued only after the checks are complete.

    What is X.509 standard?

    Most public certificates use a standard, machine-readable certificate format for certificate documents. It was initially called X.509v3. The format is used in many ways, such as

    • Internet Protocols (TLS/SSL, which makes secure HTTP connections)
    • Digital Signatures
    • Digital Certificates
    • Certificate Revocation Lists (CRLs)

    What does PKI consist of? Where are the certificates created and stored?

    PKI or Public Key Infrastructure use multiple elements in their infrastructure to ensure the security it promises. PKI uses digital certificates to maintain and validate people, devices, and software accessing the infrastructure. Certification Authority or CA issues these certificates. A Certification Authority issues and validates certificates issued to a user, device, software, a server, or another CA. CA ensures the certificates are valid and also revokes certificates and maintain their lifecycle.

    All certificates requested, received, and revoked by CA are stored and maintained in an encrypted certificate database. A certificate store is also used, which stores certificate history and information.

    What is a Certification Authority?

    Certification Authority certifies the identity of the requestor. The requestor can be a user, application, etc. Depending upon the type of CA, security policies, and requirements for handling requests, the identification mode is determined.

    While setting up, a certificate template is being chosen, and the certificate is issued based on the given information upon request. CA also release revoked lists called CRLs, which ensure invalid or unauthorized certificates cannot be used anymore.

    Root CA is a trusted certificate authority, has the highest hierarchy level, and serves as a trust anchor. While validating a certificate path, the root certificate is the last certificate that is checked. For the most part, Root CA remains offline and should stay air-gapped to make sure it is never compromised. Root CA signs certificate for issuing CA and other subordinate CA, which is used around the network. If an issuing CA fails, another can be created, but if a Root CA fails or gets compromised, the whole network needs to be recreated.

    Subordinate CA is under Root CA but is above endpoints. They help in issuing certificates, managing policies, etc. Their main objective is to define and authorize types of certificates that can be requested from root CA. Example: Subordinate CA may differ by location, or one CA may handle RSA keys, and the other may handle ECC keys.

    What are CRLs?

    Certificate Revocation Lists is a list of all digital certificates that have been revoked. A certification authority populates CRLs as CA is the only entity to revoke certificates that it issues.

    Without a Revocation list, it is harder to enquire if a certificate has been revoked or not before it’s expiration period. The revocation list is similar to a list of unauthorized entities.

    A certificate can expire due to the end of the lifecycle of the certificate. While the certificate is created, it is also set for how long the certificate would remain valid.

    If, however, within that time frame, if the key is compromised, or the user resigns, or for more such reasons, the certificate is revoked, so it can’t be used to get access. The certificate would be flagged as unauthorized and then cannot be used by someone else.

    What is a Delta CRL?

    In a large organization, CRLs can grow to be quite massive. Since a certificate must remain in CRL until it expires, they can stay on for several years. To transfer the whole CRL from one server to another can take a while. To make this process quicker, CA, delta CRL, is issued, which only includes the changes made since the last CRL update. This makes the transfer much shorter and updating of CRLs much quicker.

    What is an ARL?

    Authority Revocation List is a derivation of CRL. It contains revoked certificates issued to Certificate Authorities rather than users, software, or other clients. ARL is only used to manage a chain of trust.

    What is OCSP?

    Online Certificate Standard Protocol described in RFC 6960 is used to confirm a digital certificate’s revocation status. OCSP is a simpler and faster way to check revocation than CRLs since CA’s checks are performed instead of PKI. The data transferred is less, which helps the CA to parse the data.

    However, OCSP is less secure than CRLs. Reasons include:

    • OCSP is less informative. The only information CA sends back is either “good”, “bad” or “unknown”.
    • OCSP does not have requirements for encryption.
    • Possible where a “good” response can be captured, and replaying back to another OCSP request is possible.


    Sign up for a Free PKI Health Check

    What is a two-tier architecture in PKI?

    A two-tier architecture is a layout that would meet the requirements for most organizations. The root CA lies on the first tier, which should remain offline and air-gapped. Subordinate Issuing CA should be online under it. Since we separate the role of Root CA and Issuing CA, the security does increase. The Root CA being offline protects its private keys better and reduces the chances of being compromised.

    Two-tier architecture also increases scalability, flexibility and thus also increases fault tolerance. Since we separate the roles, multiple issuing CA can be created and placed under a load balancer. This also enables us to remember CA in different regions and to use different security levels depending upon the region. Manageability also increases as CAs are separate, and Root CA needs to be brought online only to sign CRLs.

    Two Tier Architecture is the highly recommended design for most PKI solutions.

    What is a three-tier architecture in PKI?

    Like two-tier architecture, three-tier also has an offline root CA on the top and online issuing CA on the bottom, but intermediate tier is now placed which holds CA which should remain offline. Intermediate CA may act as policy CA which dictates what policies to be followed while issuing a certificate. Any authenticated users can get a certificate, or the user may need to appear in person for certificate approval.

    However, if an issuing CA face compromise or something similar, the second-level can revoke the certificates while keeping the rest of the branches alive.

    Three-tier PKI does increase security, scalability, flexibility but comes with increased cost and manageability. If an organization does not implement administrative or policy boundaries, then the middle tier may remain unused, so three-tiers are not usually recommended or used.

    Implementation of PKI

    What are the challenges solved by PKI?

    1. TrustPKI helps users confirm the validity of devices and websites. This ensures that users are connecting to the right website. Also, the communication between the user and the server remains encrypted. This removes the chances of being spoofed or a man-in-the-middle attack.

      PKI also help customers trust e-commerce website and make online payments securely. PKI ensures the authenticity of all parties involved and also encrypts communication between them, which allows them to grow a sense of trust

    2. AuthenticationPasswords have been weak since people tend to share, write on a post-it, etc. PKI creates digital certificates that validate their identity, and since identity is validated, it works to authenticate users, devices, and applications.
    3. Security

      PKI does improve security, as when trust is increased and authentication is implemented, the only attack vector that remains is PKI itself. People tend to be the weakest links in security, and when PKI is implemented, users are not left with much control. PKI ensures all policies are maintained, security is in place, and digital certificates (in the form of smart cards) help ensure that users would not be using passwords or pin which can be easily compromised. The only variable remain would be PKI, which can be secured, thus protecting the network.

    PKI for Internet

    Browsing the internet is often done using HTTPS, a secure version of HTTP that is the primary way to visit websites. While we use HTTPS, our connection to the server is encrypted. To ensure we connect to the correct server, our browser initially accepts a certificate from the server. Then it validates the certificate and uses the public key in the certificate to establish a secure connection.

    That certificate proves the server’s authenticity, increases security, encrypts the connection, and lets the user trust the website.

    If the certificate is invalid or expired, the browser will notify the user not to trust the website and often may not even allow the user to visit that particular website. The browser may also stop the user from visiting sites that are not using HTTPS connections.

    PKI for authentication

    PKI provides digital certificates that prove the authenticity of the user. Since the user is authentic, if the user is authorized, it acts to authenticate users onto an area using smart cards or onto the network.

    Using those digital certificates can also authenticate other devices and servers to have access and privilege to the network. This can also include Intrusion Detection Devices or other network devices such as routers.

    PKI for communication

    PKI can be used for communication, where both parties can check each other’s authenticity, which would lead them to trust each other’s identity and then also encrypt their conversation. This highly increases the security and trust among the parties participating in the communication.

    PKI in IoT

    Earth has more devices than people. In the US, there are 11 connected devices on average in each household. To be able to manage and to have enough IP for all the devices has been a challenge. In November 2019, Europe ran out of IPv4. For this reason, IPv6 came out in 2012 and is being in play ever since.

    The number of devices is only bound to increase due to the boom in IoT. With increasing smart devices, it becomes a challenge to confirm these devices’ digital identity and provide proper network security.

    PKI provides a way to assign digital certificates to smart devices and secure a connection to the server. This helps OEMs to track the smart devices, push updates, and monitor and even fix them if necessary. It also keeps IoT devices secure from any attack, which can be catastrophic as it can affect our homes and our personal space.


    Issues with your PKI setup

    Encryption Consulting – PKI Advisory Services

    Encryption Consulting with its top of the line consultants provide a vast array of PKI services for all customers. Our services include:

    • PKI Assessment  The assessment will identify gaps & provide recommendations as part of a comparative study of the current and future state of customer’s PKI. This study will provide customer with a valuable risk report, a roadmap to improvement, and a way to prioritize data security investments.
    • PKI Deisgn/Implementation  Designing and implementing a successful PKI needs expertise. This is where we can help customers. To assist you in this, we design PKI and supporting processes. Post design, we help you with implementing/ migrating PKI technology and infrastructure, including the root & issuing CAs. We develop PKI policies, rules and operational processes in alignment with your business needs.
    • PKI CP/CPS Development The CP and CPS documents describe the architecture of your specific PKI, and include sections on certificate uses, naming, identification, authentication, key generation, procedures, operational controls, technical controls, revocation lists, audits, assessments, and legal matters.
      Encryption Consulting will work collaboratively with customer stakeholders to develop a Certificate Policy (CP) / Certificate Practice Statement (CPS) document following the template provided in Request for Comment (RFC) #3647.
    • PKI As A Service Encryption Consulting’s PKI As A Service offers you a customizable, high-assurance Microsoft PKI designed and built to the highest standards. It’s a low risk managed solution that gives you full control of your PKI without having to worry about the complexity.
    • PKI Training Encryption Consulting offers PKI training for anyone using or managing certificates, designing or deploying a PKI enterprise solution, or evaluating & selecting a commercial PKI Technology Solution

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

The Discovery of digital certificates installed on the endpoints of the network would require certificate scanning. Scanning would store details of the certificate such as location, type, health, expiration date, position in the chain of trust, etc. This would help detect flaws in the network and also help in mapping the network infrastructure.

While we can keep track of certificates manually, we would need supplementary materials or files such as spreadsheet which can expose critical data, and can also result in scalability issue where we have to comprehend thousand of endpoints where automation can help.

Certificate Scanning can be automated to scan at a particular time, or can be initiated manually. They can scan network on-premises or the infrastructure on the cloud. The scans can also be customized such as to carry out a specific area of the network, etc. The output can be available on dashboards or can be sent via emails as well.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 15 mins

Security and safety on the internet are essential, and individuals and organizations often have a legitimate need to encrypt and verify the identity of the individuals they are communicating with.

A certificate authority is a trusted entity that issues digital certificates. A certificate authority performs three major tasks:

  • Issues certificates
  • Certifies the identity of the certificate owner
  • Proves the validity of the certificate

Digital Certificates

A certificate, or a digital certificate, is a set of data to verify an entity’s identity. Certificates are issued by CAs and follow a specific format (X.509 certificate standard).

The information contained in a certificate is:

  • SubjectProvides the name of the computer, user, network device, or service that the CA issues the certificate to.
  • Serial NumberProvides a unique identifier for each certificate that a CA issues.
  • IssuerProvides a distinguished name for the CA that issued the certificate.
  • Valid FromProvides the date and time when the certificate becomes valid.
  • Valid ToProvides the date and time when the certificate is no longer considered valid.
  • Public KeyContains the public key of the key pair that is associated with the certificate.
  • Signature AlgorithmThe algorithm used to sign the certificate.
  • Signature ValueBit string containing the digital signature.

learn more about digital certificate –
Digital Certificate and Windows Certificate Stores | Encryption Consulting

How Does a Certificate Authority Work?

The process for getting a certificate authority to issue a signed certificate is explained below:

  1. The requestor or client creates a key pair (public and private key) and submits a request known as a certificate signing request (CSR) to a trusted certificate authority. The CSR contains the public key of the client and all the information about the requestor.
  2. The CA validates whether the information on the CSR is true. If so, it issues and signs a certificate using the CA’s private key and then gives it to the requestor to use.
  3. The requester can use the signed certificate for the appropriate security protocol:

Uses of a certificate authority

Certificate authorities issues various types of certificates, one of which is an SSL certificate. SSL certificates are used on servers and are the most common certificate that an everyday user would come in contact with. The three levels of an SSL certificate are

  • Extended Validation (EV)
  • Organization Validation (OV)
  • Domain Validation (DV)

Certificates with higher levels of trust usually cost more as they require more work on the part of the certificate authority.

  1. Extended Validation (EV)These Certificates provide the highest level of assurance from the certificate authority that it has validated the entity requesting the certificate.During verification of an EV SSL Certificate, the owner of the website passes a thorough and globally standardized identity verification process (a set of vetting principles and policies ratified by the CA/Browser forum) to prove exclusive rights to use a domain, confirm its legal, operational and physical existence, and prove the entity has been authorized the issuance of the certificate. This verified identity information is included within the certificate.

    For example: An individual requesting an EV certificate must be validated through face-to-face interaction with the applicant as well as review of a personal statement, one primary form of identification, such as a passport or driver’s license, as well as two secondary forms of identification.

  2. Organization Validation (OV)OV certificates take security assurance and require human verification of the organization’s identity.OV SSL certificates assures visitors that they’re on a website run by an authentic business. Before an OV certificate is granted, a member of the security team must contact the business to confirm that the owners actually requested the SSL certificate.
  3. Domain Validation (DV)Domain Validation certificates are the easiest to get among all the other certificates, since no manual identity check takes place.DV SSL Certificates require only that the applicant demonstrate ownership of the domain for which the certificate is being requested.

    DV certificates can be acquired almost instantly and at low to no cost.

    For example: ACM Cert Manager’s DNS or Email validation.


Certificate authorities also issue other types of digital certificates:

  1. Code Signing CertificatesCode signing certificates are used by software publishers and developers to sign their software distributions. End-users use these to authenticate and validate software downloads from the vendor or developer.
  2. Email certificatesEnable entities to sign, encrypt, and authenticate email using the S/MIME (Secure Multipurpose Internet Mail Extension) protocol for secure email attachments.
  3. Device certificatesIssued to internet of things (IOT) devices to enable secure administration and authentication of software or firmware updates.
  4. Object certificatesUsed to sign and authenticate any type of software object.
  5. User or client certificatesUsed by individuals for various authentication purposes.

Client-Server Authentication via Certificate Authority (CA):

The CA establish a digital certificate also known as an SSL/TLS certificate that binds a public key to some information related to the entity that owns that public key. This enables any system to verify the entity-key binding of any presented certificate.

Step 1
The first step is finding out if the CA is a trusted CA. The CA name is taken from the certificate and compared to a list of trusted CA’s provided by the web browser. If the CA name is found to be a trusted CA, the client will then get the CA’s corresponding public key to use in the next validation step.
Step 2
In this step, the digital signature on the server’s certificate will be validated. It is basically the hash of the CA’s Public key.
Step 3
To validate the digital signature, the client hashes the CA’s public key with the same hash algorithm used by the CA to get the digital signature.
Step 4
If the two hashes match then the digital signature is valid and the certificate is authenticated. If the hashes do not match then the certificate is invalid and cannot be authenticated.
Step 5
Certificate expiration dates also need to be checked to validate the certificate.
Step 6
Once a certificate is authenticated, the identity of the owner of the certificate will be authenticated as well.

CA Hierarchy options:

CAs are hierarchical in structure, and there are generally three types of hierarchies: one-tier, two-tier, and three-tier.

Single/One-Tier Hierarchy:

In this type of hierarchy, the single CA is both an Issuing CA and a Root CA. The Root CA is installed as an Enterprise CA, leaving the Root CA in the network as a member of a specific domain. In short, the Root CA is always available to issue certificates to requesting users, computers, network devices etc.

This single-tier hierarchy is not recommended for any production scenario because with this hierarchy, a compromise of this single CA equates to a compromise of the entire PKI.

Two-Tier Hierarchy:

A two-tier hierarchy meets most company’s needs. This design comprises an offline Root CA and an online Subordinate issuing CA. In this model, the level of security is increased because the Root CA is detached from the network, so the private key of the Root CA is better protected from any compromises. The two-tier hierarchy also increases scalability and flexibility, since there can be multiple Issuing CAs subordinate to the Root CA. This allows CAs to exist in different geographical locations, as well as at different security levels.

Three-Tier Hierarchy:

In a three-tier CA hierarchy, an offline Root CA is installed as a standalone Root CA, and one or more offline Intermediate/Policy CAs and one or more issuing CAs are installed as Enterprise Subordinate CAs. The Policy CA is configured to issue certificates to the Issuing CA which is restricted in what type of certificates it issues. One of the reasons the second layer is added in this hierarchy is that if you need to revoke a number of CAs due to a key compromise, you can perform it at the Second level, leaving other “branches from the root” available. It should be noted that Second Tier CAs in this hierarchy can, like the Root, be kept offline.

Conclusion

A certificate authority plays the key role of facilitating secure communication and building trust between a user and a resource by verifying that the organization and client in question are authentic or valid.

For a complete list of the recommendations for planning a CA hierarchy, along with the level of business impact at which you should consider implementing them, refer to Securing PKI: Appendix F: List of Recommendations by Impact Level.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read Time: 10 min

E-commerce businesses are going to be ever more dependent on digital economy and electronic information which enables them to have exacting data privacy compliance and data security framework.

Public Key Infrastructure (PKI) is becoming quintessential to build and map the secure relation between users, devices, services and Organizations to their digital identities in the form of digital signatures and certificates.

To all the crypto engineers out there, have you ever thought of a PKI implementation with minimalistic configuration and a fully scalable feature set comprising of all the benefits which Cloud implementation has to offer?

Welcome to AWS Certificate Manager Private Certificate Authority (ACM PCA). ACM PCA offers almost all the same features provided by On-prem PKI providers.

Let’s understand the PKI offerings from AWS

AWS offers two services in the Cloud PKI space:

  1. AWS Certificate ManagerIs an AWS managed service known as ACM which provisions SSL/TLS based X.509 public certificates used for various purposes (e.g Web Server Authentication etc.). This service is targeted at customers who need a secure web existence using TLS certificates.

    ACM deploys certificates using AWS integrated services –

    • Amazon
    • CloudFront
    • Elastic Load Balancing
    • Amazon API Gateway
    • and other integrated services.

    Enterprises with a secure public website with significant web traffic will prefer this certificate management service which offers auto renewal, multi domain support and a hassle-free certificate management experience.

    Note: Kindly note that you can’t export the SSL/TLS public Certificate from the ACM, as the ACM doesn’t allow users to export the private keys of certificates.

  2. AWS Certificate Manager Private Certificate AuthorityIs an AWS managed private CA service, also known as ACM PCA, which provisions X.509 certificates. The ACM PCA is most suited for small and medium enterprise customers who desire to build their own Public Key Infrastructure (PKI) within AWS Cloud and distributed for private use within the organization. Within a private CA, users can create their own CA hierarchy and issue certificates for authenticating internal users, applications, services, IOT devices etc.

Now, let’s discuss the various Two-tier Cloud PKI Models offered by AWS for ACM PCA:

  1. Private Cloud: In this environment, both the Root CA and Subordinate CA exist in the AWS Cloud.
    Private Cloud
  2. Hybrid Cloud: In this environment, the Root CA exists in an On-prem data center, whereas the Subordinate CA is in the AWS Cloud. This requires you to have the Root CA (On-prem) sign the CSR for the Subordinate CA in the AWS Cloud.
    hybrid cloud

In the Private Cloud architecture, you can host the Root CA or Subordinate CA in the AWS Cloud and use it for all your certificate needs, On-prem as well as Cloud infrastructure. In the Hybrid Cloud architecture, however, you can host the Root CA On-prem and the Subordinate CA in the AWS Cloud for all the certificate requirements of the enterprise.Both these models have their pros and cons. The “Private Cloud Model” provides you all the cloud benefits (high availability, ease of management, access control etc.), but, as a security best practice approach, you might want to have full control over your Root CA with all the cryptographic keys being managed in the On-prem HSM which you don’t have in this approach.On the other hand, the “Hybrid Cloud Model” provides you with complete control over your On-prem Root CA, however, this adds some complexity to the overall architecture by hosting two CAs (Root and Subordinate CA) at different places (On-prem and AWS Cloud).Note: There are various combinations possible for placing the CAs (Root/Policy/Subordinate/Issuing) either in On-prem or Cloud environment/s depending upon the architectural needs of the Organization (like Management of CA lifecycle, DR planning etc.)

Move your IT infrastructure to Cloud.

Let’s deep dive more on the ACM PCA Service:

With ACM Private CA, you can create a hierarchy of certificate authorities with up to five levels i.e. the root CA, at the top of a hierarchy tree can have as many as four levels of subordinate CAs. You may create multiple hierarchies, each with its own root as well.

The ACM PCA can issue X.509 end-entity certificates for creating encrypted channels, authenticating users, computers, API endpoints, and IoT devices, code signing scenarios and also implementing Online Certificate Status Protocol (OCSP) for obtaining certificate revocation status.

As mentioned, ACM PCA provides X.509 certificates to the end-entity; if AWS Certificate Manager issues a private certificate, the certificate can be associated with any service that is integrated with ACM (e.g. Amazon CloudFront, Elastic Load Balancing, Amazon API Gateway etc.). This is applicable in both scenarios, like the Root CA can be in the AWS Cloud or not, but, the Subordinate CA can only be in the AWS Cloud. Also, if you use the ACM Private CA API or AWS CLI to issue/export a private certificate from ACM, you can install the certificate anywhere depending upon your use-case.

After provisioning the ACM private CA, you can directly issue certificates without having any validation requirement from any third-party CA and as per the customization for your enterprise internal needs. A few of the standard use-cases are:

  • Provision certificates with any subject name/ expiration timeline.
  • Improving the uptime through the automated workflows for certificate management
  • Restraint certificate issuance using templates.

ACM PCA offers the shared responsibility model for AWS Cloud Security in which “Security of the Cloud” belongs to AWS and “Security in the Cloud” belongs to the “Customer”. This shared security model could be implemented with the help of AWS Data Protection services (e.g. Macie, IAM, Cross Account Access, Logging, Monitoring, Audit Report etc.).

As a final note, I would like to draw your attention to some of the best practices to effectively use ACM PCA:

  1. Logical explanation of your PKI Infrastructure (placement of CAs)
  2. Document policy procedures for validity periods/ path length
  3. Keep your private key secure and avoid any form of compromise
  4. Keep your PKI certificate management updated. Revoke certificates when necessary, clear out old/unused certificates, and formulate a documented procedure for certificate renewals and expirations.

Quick Note on Pricing:
The AWS account is being charged a monthly fee of $400 for each private CA starting from the time that you create it. There is a charge associated with each certificate you issue/export (with its private key) with the model “the more you generate/issue the less you pay”.For the latest ACM Private CA pricing information, see the ACM Pricing page
aws.amazon.com/certificate-manager/pricing/ on the AWS website as prices may vary from time to time.

Summary:

If you want to secure your data end-to-end with the assurance of legitimate sender source then usage of Public Key Infrastructure (PKI) is must. There are multiple PKI implementations doing the rounds with various complexity levels, however, AWS Certificate Manager Private CA provides this with maximum ease and robust infrastructure providing all the benefits of cloud i.e. pruning maintenance cost, scalability, business continuity, efficiency, flexibility and sec-ops automation.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

We often come across an abstract concept called “Security on the internet” and then the Unavoidable query comes “why do we need security on the internet?”

We spend loads of time on the internet be it social media, personal communication and business transactions. The Internet security is important to communicate securely over the Internet. Thus, with the use of internet security the computers, files/data from the computer, IT systems etc. are protected from any kind of intrusion by any malicious user/system over the Internet

What does security provide?

  1. Confidentiality: The information within the message or transaction is kept confidential. It may only be read and understood by the intended sender and receiver.
  2. Integrity: The information within the message or transaction is not tampered accidentally or deliberately.
  3. Authentication/Identification: The persons / entities with whom we are communicating are really who they say they are.
  4. Non-Repudiation: The sender cannot deny sending the message or transaction, and the receiver cannot deny receiving it.
  5. Access Control: Access to the protected information is only realized by the intended person or entity.

All the above security properties can be achieved and implemented with the help of Digital Certificate through the use of Public Key Infrastructure (PKI) mechanism.

About Digital Certificate:

The digital certificate is basically a digital form of identification by which consumers, businesses and organizations can exchange the data securely over the internet using the public key infrastructure (PKI). Digital Certificate is also known as a public key certificate or identity certificate.

Public Key Cryptography or Asymmetric Cryptography uses two different cryptographic key pairs: A.) Private key and B.) Public key. One key from the key pair is used to Encrypt and the other key is used to decrypt the data and vice-versa.

A digital Certificate establishes the owner’s identity and it makes the owners public key available. A digital certificate is issued by a trusted Certificate Authority and it is issued only for a limited time, after the expiration of the certificate a new certificate would be issued.

A digital certificate alone can only verify the identity of the digital certificate’s owner by providing the public key that is required to verify the owner’s digital signature. Therefore, the owner of the digital certificate must protect the private key that belongs to the public key of the digital certificate.

How digital certificates are verified?

  1. The issuer of a digital certificate is called a Certificate/Certification Authority. Verifying the certificates is the process of validating the entity’s identity. Validation process is a way to be sure about the person’s identity.
  2. The certificate contains information about the CA name and digital signature, these two fields will be used to authenticate the certificate. The CA name of the certificate has to be from a trusted CA and the digital signature must be valid.
  3. Now, the process is to validate the digital signature of the certificate, the verification of a digital signature is performed as per the below steps:
    • Calculate the hash-value: The first step is to calculate the hash-value of the message (often called a message digest) by applying a cryptographic
      hashing algorithm (For example: MD5, SHA1, SHA2). The hash value of the message is a unique value.
    • Calculate the digital signature: In this step the hash value of the message or the message digest is encrypted with the private key of the signer, the encrypted hash value is also called as digital signature.
    • Calculate the current message digest: In this step the hashed value of the signed message is calculated by the same algorithm which was used during the signing process.
    • Calculate the original Hash-value: Now, the digital signature is decrypted by the public key that corresponds to the private key of the signer. As a result, we will obtain the original hash value that was calculated from the original message during the first step of the signing process.
    • Compare the current and original hash value: In this step we will compare the hash values of the current message digest and the original hash value. If two values are identical then the verification is successful. This proves that the message has been signed with the private key that corresponds to the public key used in the verification process. If the two values differ, this means that the digital signature is invalid and the verification is unsuccessful.

How digital certificates are verified

Now, worried about false impersonation of your identity? – If you send your digital certificate containing your public key to someone else, the person cannot misuse the digital certificate without having access to your private key. If the private key is compromised, then malicious users may act as the legitimate owner of the digital certificate.


Use of digital certificate in the internet applications:

There are numerous internet applications using public key cryptography standards for key exchange, digital signature and digital certificates need to be used to obtain the desired public key.

Following are brief descriptions of a few of the commonly used Internet applications that use public-key cryptography:

  1. SSL (Secure Socket Layer) – This is an encryption-based internet security protocol. This protocol is used to provide security between the client and a server. SSL uses digital certificates for key exchange, server authentication, and client authentication.
  2. Client Authentication –Client authentication is an option which requires a server to authenticate a client’s digital certificate before allowing the client to access certain resources. The server requests and authenticates the client’s digital certificate during the SSL handshake and the server can also determine whether it trusts the CA that issued the digital certificate to the client.
  3. Secure Electronic Mail – To secure email messages, it uses standards such as Privacy Enhanced Mail (PEM) or Secure/Multipurpose Internet Mail Extensions (S/MIME). digital certificates are used for digital signatures and for the exchange of keys to encrypt and decrypt messages.
  4. Virtual Private networks (VPNs) – Virtual private networks, also called secure tunnels, can be set up between firewalls/secure gateways to enable protected connections between secure networks over insecure communication links. All traffic destined to these networks is encrypted between the firewalls/secure gateways.

Windows Certificate stores

Certificate stores are a combination of logical grouping and physical storage locations. Certificate store contains certificates issued from a number of different certification authorities (CAs).

System Certificate Stores:

System certificate stores has the following types:

  1. Local machine certificate store: This certificate store is local to computer and global to all users on the computer. The certificate store is located in the registry under HKEY_LOCAL_MACHINE root.
  2. Current user certificate store: This certificate store is local to a user account on the computer. This certificate store is located in the registry under the HKEY_CURRENT_USER root.

Let’s start with the certificate MMC console, easily launched by certmgr.msc.
This gives us the hint of physical certificate stores, as shown in fig 1.

As shown in figure1 below, there are several stores: smart card store, Enterprise store, the Third-Party store etc.

If we go to MMC and add the certificate snap-in, we have some more choices for the accounts: user account, service account and the computer account, all the stores listed in the fig1 have their corresponding location for each account.

Certificates - Current User

Microsoft certificate stores storage locations include:

  1. HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificates – contain the info for the computer account
  2. HKEY_LOCAL_MACHINESOFTWAREMicrosoftEnterpriseCertificates – contains info about the AD published certificates
  3. HKEY_Local_MachineSoftwarePoliciesMicrosoftSystemCertificates- contains info for the computer account, but for Group policy distributed certificates for the computer account
  4. User: HKEY_CURRENT_USERSoftwareMicrosoftSystemCertificates – contains registry settings for the current user. Those can include the BLOB (Binary Large object) and various settings for the certificate, as well as settings related to the CA certificates that support the user certificates.
  5. HKEY_Current_UserSoftwarePoliciesMicrosoftSystemCertificates – contains registry settings for the current user, but for certificates distributed via Group Policy.
  6. HKEY_UsersUser SIDSoftwareMicrosoftSystemCertificates – contains this info for the corresponding user

If your organization is looking for implementation of encryption technologies in cloud environment, please consult info@encryptionconsulting.com for further information.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

What is AWS Certificate Manager (ACM)?

ACM is Amazon’s Certificate Manager offered as a service for its cloud customers. ACM provides its users with options to create, manage and deploy certificates (both public and private). AWS Certificate Manager Private Certificate Authority service enables small and medium enterprises to build and own Public Key Infrastructure (PKI) with in AWS cloud platform. AWS services such as Elastic Load Balancers, Amazon CloudFront distributions, Elastic Beanstalk, and AWS API Gateway are equipped to use AWS Certificate Manager Service.

For more detailed information on AWS Certificate Manager (ACM), please read our blog article www.encryptionconsulting.com/2020/08/08/pki-in-aws-cloud

AWS ACM Best Practices:

Following best practices for ACM services help organizations in conforming to audit processes and also ensure compliance with several security laws, standards and regulations such as
Payment Card Industry Data Security Standard (PCI DSS)
, National Institute of Standards and Technology (NIST), Australian Prudential Regulatory Authority (APRA) etc.


Here are top 10 best practices we identified for AWS Certificate Manager (ACM):
  1. ACM Certificate expiry check: One of the best practices to be followed in order to adhere to security standards is to ensure removal of expired SSL/TLS certificates managed by ACM. This eliminates the risk of deploying an invalid SSL/TLS certificate in resources which trigger error in front end. This might cause loss of credibility for business as well.
  2. ACM Certificate validity check: Ensure requests arrived during SSL/TLS certificate issue or renewal process are validated regularly. ACM certificate requests become invalid when not validated within 72 hours of request initiation. Application services might be interrupted during the process of new certificate requesting process.
  3. Root Certificate Authority (CA) usage: As per Amazon recommendation, it is always a best practice to minimize the use of root CA. Instead an intermediate CA can be created to perform daily activities of issuing certificates to endpoints and in turn root CA can issue certificates to intermediate CAs. This way root CA can be protected from direct exposure during any attacks. Also, providing a separate accounts for root CA and intermediate CAs is a recommended best practice.
  4. Use of SSL vs TLS:Transport layer protection is very important to ensure security. Use only TLS version 1.1 or above and do not use SSL as it is not considered secure anymore.
  5. Private keys (SSL/TLS) protection: Whenever you import certificates instead of ACM issued certificates, ensure keys used to generate SSL/TLS certificate private keys has high key strength to avoid data breach.
  6. Avoid using SSL wildcard domain certificates: Avoid using wildcard domain certificates instead try to issue ACM single domain certificate for each domain and subdomain with its own private key. Whenever there is a breach or hack performed on wildcard certificates, all the domains and sub domains linked are compromised causing greater security concern.
  7. Usage of imported certificates: Allow usage of imported certificates only from authenticated and trusted partners of your organization in ACM. When wildcard certificates are imported into AWS Certificate Manager (ACM), security threat risk is high as the user might hold an unencrypted copy of certificate’s private key.
  8. Fully qualified domain name: :One of the common mistakes organizations commit is using alias in certificates. Recommended best practice is to always use a Fully Qualified Domain Name (FQDN) in SSL/TLS ACM certificates.
  9. Perform audit of SSL/TLS certificates: To avoid misuse of generated certificates, perform frequent audits of AWS environment for trusted certificates and validate audit report.
  10. Turn on AWS CloudTrail and CloudWatch alarms: CloudTrail logging helps in tracking history of AWS API calls and monitoring AWS deployments. CloudTrail can be integrated with applications for performing automated logging and monitoring activities. Enabling CloudWatch alarm feature helps in alerting through notifications when configured metrics breach.

If your organization is looking for implementation of AWS Certificate Authority, please consult info@encryptionconsulting.com for further information.BYOK allows organizations to encrypt data inside cloud services with their own keys — and maintained within the cloud providers’ vaults — while still continuing to leverage the cloud provider’s native encryption services to protect their data. Win win.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download