VISIT LIBRARY SPONSOR A BOOK HOW IT WORKS NEWSLETTER FEEDBACK

The Shortcut Guide to Managing Certificate Lifecycles

by Kevin Behr

SYNOPSIS

Digital certificates are the central component in a Public Key Infrastructure (PKI) used to protect personally identifiable information, prove that online merchants are authentic, and protect the integrity of online transactions. Yet, many people have never even heard of digital certificates. They are buried deep inside many applications and technologies in today’s Web-powered world, which most people take for granted.

If you have ever shopped for a certificate, you know that there is a wide selection of products and vendors from which to choose. Knowing what you need and, more importantly, why you need it, can be pretty confusing—even for a seasoned professional. This guide to managing the certificate lifecycle will cover a range of topics surrounding digital certificates, with an eye towards giving you the inside track when it comes to making decisions about PKI. This guide is for both those new to digital certificates and for technologists with extensive experience.


CHAPTER PREVIEWS

Chapter 1: The What and Why of PKI

Digital certificates are the central component in a Public Key Infrastructure (PKI) used to protect personally identifiable information, prove that online merchants are authentic, and protect the integrity of online transactions. Yet, many people have never even heard of digital certificates. They are buried deep inside many applications and technologies in today’s Web-powered world, which most people take for granted.

If you have ever shopped for a certificate, you know that there is a wide selection of products and vendors from which to choose. Knowing what you need and, more importantly, why you need it, can be pretty confusing—even for a seasoned professional. This guide to managing the certificate lifecycle will cover a range of topics surrounding digital certificates, with an eye towards giving you the inside track when it comes to making decisions about PKI. This guide is for both those new to digital certificates and for technologists with extensive experience.


Chapter 2: Root Management

This chapter will continue to build on the concepts outlined in Chapter 1 and extend them to common real-world scenarios. It will show you how to cut through the marketing hype and get to the bottom of the services provided by commercial CAs by introducing two documents that all commercial CAs produce. The chapter will then give you the inside track on methods you can use to manage your own certificate lifecycles by examining how commercial CAs manage their own

  • Root keys
  • Policy and procedures governing the keys
  • End user agreements

Finally, the chapter will examine how the policies and procedures used by commercial CAs can map into your overall PKI management strategy, answering questions such as:

  • How can you know what a CA does to secure their PKI?
  • Who does the PKI serve?
  • Is there a standard method you can use to compare different CAs?
  • How are CAs audited?

This chapter will answer these questions as well as explore

  • Access restriction,
  • Backup of keys
  • Auditing the environment to ensure operational integrity and reliability


Chapter 3: The Certificate Lifecycle

The first two chapters focused on defining and exploring key elements of PKI and how the root certificates and infrastructure need to be managed. This chapter will cover the entire functional lifecycle of a digital certificate. The certificate lifecycle consists of five distinct phases: issuance, re-issuance, expiry, renewal, and revocation. This chapter is full of helpful hints, best practices, and resources that will save you time, help you avoid embarrassing and expensive site outages, and steer you towards the correct certificate product for your application. Let’s start at the very beginning of the certificate lifecycle with issuance.

Issuance

This guide has defined digital certificates as the binding of a vetted identity (company, role, or person) to a pair of digital asymmetrical keys. Whether purchasing a certificate from a commercial CA or issuing your own certificates within your company or enterprise, the concept is the same. Because a digital certificate is a form of credential used to identify a person, company, or a role, it is crucial that a validation and verification process is sufficiently rigorous to indemnify the level of assurance provided by that credential. For example, if you were a relying party shopping on an e-commerce Web site for a new laptop computer that costs 00, you would want to know that the digital certificate presented to you by the Web site guaranteed that you were not being spoofed. You would hope that the CA had stringent standards to make the merchant prove it was who it purported to be. The first chapter discussed the differing levels of assurance offered by most commercial CAs. The levels of validation and the verification methods are more rigorous as the level of assurance provided by the certificate product escalates. Keeping with the focus on delivering useful shortcuts, let’s break these types into functional categories that focus on their common usage rather than brand names and hype.


Chapter 4: Managing PKI Infrastructures

The previous chapters have discussed the components used in a Public Key Infrastructure (PKI). This chapter will address the key decisions that IT professionals need to make in planning and implementing the infrastructure that will best support their security needs—while addressing the demands of their budgets. The chapter will focus on

  • Defining the requirements and challenges of the infrastructure
  • Identifying the key components of the infrastructure
  • Choosing the best means to provide the infrastructure—specifically, comparing outsourcing with building an in-house system