Domain 3 Β· Lesson 4 of 6
PKI, Certificates & Key Management
PKI, Chα»©ng chα» & QuαΊ£n lΓ½ KhΓ³a
Key Terms
PKI
Root CA
Intermediate CA
End-entity Certificate
CRL
OCSP
OCSP Stapling
Certificate Pinning
HSM
TPM
Key Escrow
Key Rotation
FIPS 140-2
HashiCorp Vault
PKI Hierarchy β Chain of Trust
PKI (Public Key Infrastructure) is a framework for managing digital certificates and public-private key pairs. It establishes a chain of trust from a Root CA down to individual certificates.
Root CA β Top of Trust Hierarchy
MUST be OFFLINE (air-gapped). Signs only Intermediate CAs. If the Root CA is compromised, ALL certificates in the hierarchy are invalidated. Extremely long validity period (10-20 years). Self-signed certificate.
β Signs
Intermediate CA β Operational Layer
Online CA that signs end-entity certificates. Using an Intermediate CA limits Root CA exposure β if the Intermediate is compromised, only that subtree is revoked (Root CA remains safe). Organizations may have multiple Intermediate CAs (by geography, purpose, or business unit).
β Issues
End-entity Certificate β Issued to Server/User
Contains: Subject's public key, identity (CN + SAN), validity dates, issuer (Intermediate CA), serial number, signature of Intermediate CA. Short validity (90 days to 2 years). Must be renewed regularly.
PKI Component Roles
| Component | Role | Key Property |
|---|---|---|
| Root CA | Top of trust hierarchy; signs Intermediate CAs | Must be OFFLINE (air-gapped) |
| Intermediate CA | Online; signs end-entity certificates; limits Root CA exposure | Revocable without invalidating Root CA |
| End-entity Cert | Issued to server/user; contains public key + identity | Short validity; must be regularly renewed |
| RA (Registration Authority) | Verifies identity before certificate issuance; outsources vetting from CA | Trusted identity verification agent |
| CRL (Cert Revocation List) | List of revoked certificate serial numbers published periodically by CA | Stale β may not reflect recent revocations |
| OCSP | Real-time single-certificate revocation check via HTTP | Fresh β real-time status |
| OCSP Stapling | Server pre-fetches signed OCSP response and includes it in TLS handshake | Eliminates client round-trip to OCSP responder; better performance & privacy |
Certificate Revocation: CRL vs. OCSP
CRL β Certificate Revocation List
- Batch list of revoked certificate serial numbers
- Published periodically (daily or weekly)
- Client downloads entire list
- Can be STALE β recent revocations may not appear until next publication
- Large files as PKI grows (performance issue)
OCSP β Online Certificate Status Protocol
- Real-time query for a single certificate's status
- Client sends certificate serial number; OCSP responder replies: Good / Revoked / Unknown
- Always FRESH β reflects current revocation status
- Privacy concern: OCSP responder knows which sites you're visiting
- OCSP Stapling solves the privacy concern
Certificate Validation Steps (in order): (1) Verify the digital signature on the certificate using the Intermediate CA's public key; (2) Check validity dates (not before / not after); (3) Check revocation status via OCSP or CRL; (4) Confirm the certificate's CN or SAN matches the hostname being connected to.
Certificate Pinning: An application hardcodes the expected certificate or its public key hash. Even if a rogue CA issues a fraudulent certificate for your domain, the pinned application rejects it because the certificate does not match the pinned value. Used in mobile apps. Defeats MITM attacks via compromised or rogue CAs.
Key Storage Hardware
| Device | Type | FIPS Level | Use Case | Key Property |
|---|---|---|---|---|
| HSM | Hardware Security Module | FIPS 140-2 Level 3+ | Server-side key storage, CA key protection, bulk crypto operations | Tamper-evident. Keys never leave HSM in plaintext. Physical destruction on tamper detected. |
| TPM | Trusted Platform Module | FIPS 140-2 Level 1-2 | Laptop/workstation β disk encryption (BitLocker), platform attestation | Chip on motherboard. Seals keys to platform measurements. Cannot be transplanted. |
| HashiCorp Vault | Software (with HSM backend option) | N/A (software) β can use HSM backend for FIPS | Cloud-native secret management, dynamic secrets, key/value secrets | Used by FinTech Company X. Lease-based access. Audit logging. Vault Agent for K8s injection. |
FIPS 140-2 Level 3 requires tamper-evidence, identity-based authentication, and zeroization of plaintext CSPs on tamper. Level 4 adds physical security envelope with environmental failure protections.
Key Management Lifecycle
1
Generate
Generate with CSPRNG; key length per algorithm standard (RSA 2048+, AES 256)
2
Distribute
Securely transport to authorized parties. Use asymmetric to wrap symmetric keys.
3
Store
HSM or Vault. Never in environment variables, source code, or Kubernetes Secrets (unencrypted).
4
Use
Access through defined interfaces only. Audit all key usage. Limit cryptoperiod.
5
Rotate
Replace periodically. RSA signing keys: annually. AES data keys: by cryptoperiod or event-triggered.
6
Revoke
Immediately on compromise suspicion. Update CRL / OCSP. Notify relying parties.
7
Destroy
Cryptographic erasure β overwrite key material multiple times or HSM zeroization. Retain audit record.
Key Escrow vs. Key Rotation
| Concept | Definition | Risk | Use Case |
|---|---|---|---|
| Key Escrow | A copy of the encryption key is held by a trusted third party for recovery purposes | Third party becomes a high-value target; compromise of escrow = compromise of all data | Government-mandated lawful intercept; enterprise data recovery (Vault key backup) |
| Key Rotation | Periodic replacement of keys with new ones; old key decrypts old data during transition | Operational complexity; window where both old and new keys must be valid | Limit key exposure window; compliance (PCI-DSS requires annual rotation); after personnel change |
Exam Tips β PKI & Key Management
- CRL = batch list (stale); OCSP = real-time single cert (fresh) β OCSP is preferred for revocation checks. CRL may not reflect recent revocations.
- Root CA MUST be OFFLINE β if the Root CA is compromised, every certificate it issued (directly or through Intermediates) must be treated as invalid. An online Root CA is a critical security failure.
- HSM provides hardware-protected key storage β more secure than software-only (Vault without HSM backend). Keys never leave the HSM in plaintext.
- Certificate pinning defeats MITM attacks via rogue CAs β even if an attacker controls a trusted CA that issues a fraudulent certificate for your domain, pinning rejects it.
- Key escrow = recovery capability BUT creates third-party risk β the escrow holder becomes a target. Government escrow (Clipper chip era) is controversial precisely for this reason.
- OCSP Stapling = server fetches OCSP response and staples it to TLS handshake β eliminates client's need to contact OCSP responder (better privacy and performance).
FinTech Company X Key Management Audit β Platform C
- JWT RSA private keys: Stored only in HashiCorp Vault (never in Kubernetes Secrets, environment variables, or config files). Vault audit log records every read of the private key material.
- Zero-downtime key rotation: RSA JWT signing key pairs rotated annually. During the rotation window (48 hours), the JWKS endpoint serves BOTH the old and new public keys. Services verify tokens against all active public keys β no token rejections during rotation.
- TLS certificate automation: cert-manager in Kubernetes automates Let's Encrypt certificate renewal (renews at 60 days, valid for 90 days). No manual renewal β eliminates expiry-related outages.
- Per-tenant AES data keys: AES-256-CTR data encryption keys stored in Vault with per-tenant isolation. Partner A encryption key is different from Partner D encryption key β a Vault compromise of one tenant's key does not expose another tenant's data.
Practice Questions
Q1. A browser checks whether a web server's TLS certificate has been revoked. The browser queries the certificate's revocation status in real time for a single certificate. Which method is being used?
A. OCSP (Online Certificate Status Protocol) β real-time single-certificate revocation checkOCSP provides real-time revocation status for individual certificates. The client sends the certificate's serial number to the OCSP responder and receives a signed response: Good, Revoked, or Unknown. CRL would require downloading an entire list. OCSP Stapling means the server performs this lookup and provides the response to the client during the TLS handshake.
Q2. An organization's PKI Root CA is connected to the network for daily operations. A security auditor flags this as a critical finding. Why is an online Root CA a security risk?
A. If the Root CA is compromised, ALL certificates in the PKI hierarchy are invalidated β the Root CA must be offline to protect the entire trust chainThe Root CA is the anchor of trust for the entire PKI. If an attacker compromises an online Root CA, they can issue fraudulent certificates for any domain in the hierarchy and sign them with the Root's private key. Every certificate would appear valid. The Root CA should be air-gapped, brought online only to sign new Intermediate CAs (rare event), then taken offline again. Intermediate CAs handle day-to-day certificate issuance.
Q3. An organization needs to protect server-side RSA private keys for a payment processing system. Which hardware device provides the highest level of key protection with tamper detection?
A. HSM (Hardware Security Module) β FIPS 140-2 Level 3+, tamper-evident, keys never exported in plaintextAn HSM is dedicated hardware designed for cryptographic operations. Keys are generated and stored inside the HSM and never leave in plaintext. Physical tamper-detection mechanisms erase keys if tampering is detected. TPMs are on-device chips for platform attestation and disk encryption β they have a lower FIPS level and are not designed for server-side cryptographic operations at scale. Vault (software) can use an HSM backend for key protection.
Q4. A mobile banking application hardcodes the SHA-256 hash of the server's public key. During a security audit, a penetration tester intercepts traffic using a corporate proxy with a trusted CA certificate. The app rejects the proxy's certificate. What security control prevented the interception?
A. Certificate pinning β the app rejects any certificate whose public key hash does not match the pinned value, even if the certificate is signed by a trusted CACertificate pinning defeats MITM attacks that rely on rogue or compromised CAs. Even though the corporate proxy's certificate is signed by a CA that is trusted by the device's OS, the app compares the public key hash against the pinned value. The proxy's public key hash does not match, so the app terminates the connection. This prevents traffic interception even when the attacker controls a CA in the device's trust store.
Q5. An organization rotates its RSA JWT signing keys annually. During the rotation process, the old JWT signing key is kept active for 48 hours alongside the new key. Why is this necessary?
A. Tokens signed with the old key may still be valid (within their TTL) during the rotation window β services must accept both keys to avoid rejecting legitimate tokensJWT tokens have an expiry claim (exp). If the signing key is rotated immediately and the old key is removed, any tokens signed with the old key that have not yet expired will fail validation. By publishing both old and new public keys on the JWKS endpoint for a transition window equal to the maximum token TTL, services can validate tokens signed by either key. After the window, the old key is removed and all valid tokens have been signed with the new key.