WEBVTT

1
00:00:00.000 --> 00:00:01.776
In this section of the course,

2
00:00:01.776 --> 00:00:05.370
we're going to discuss Public Key Infrastructure

3
00:00:05.370 --> 00:00:07.530
or PKI Architecture.

4
00:00:07.530 --> 00:00:10.530
The Public Key Infrastructure Architecture section

5
00:00:10.530 --> 00:00:15.120
of the course focuses on Domain 2: Security Architecture,

6
00:00:15.120 --> 00:00:18.210
specifically objective 2.4,

7
00:00:18.210 --> 00:00:20.550
which states that given a scenario,

8
00:00:20.550 --> 00:00:23.550
you must be able to apply security concepts

9
00:00:23.550 --> 00:00:25.530
to the design of access,

10
00:00:25.530 --> 00:00:28.770
authentication and authorization systems.

11
00:00:28.770 --> 00:00:31.380
The Public Key Infrastructure is the backbone

12
00:00:31.380 --> 00:00:33.990
of secure online communication.

13
00:00:33.990 --> 00:00:35.190
The Public Key Infrastructure

14
00:00:35.190 --> 00:00:38.880
provides a framework for managing digital certificates,

15
00:00:38.880 --> 00:00:41.880
which are the foundation of digital trust.

16
00:00:41.880 --> 00:00:45.480
Trusted organizations, known as Certificate Authorities,

17
00:00:45.480 --> 00:00:49.260
are responsible for issuing and managing certificates.

18
00:00:49.260 --> 00:00:52.410
In use, proper validation of certificates

19
00:00:52.410 --> 00:00:54.980
ensures authenticity and integrity

20
00:00:54.980 --> 00:00:58.500
of digital communications and data exchanges.

21
00:00:58.500 --> 00:01:01.140
Finally, the public key infrastructure

22
00:01:01.140 --> 00:01:04.380
enables certificates to be efficiently deployed

23
00:01:04.380 --> 00:01:08.190
across networks, servers, and client devices

24
00:01:08.190 --> 00:01:09.480
to safeguard data

25
00:01:09.480 --> 00:01:12.960
and maintain secure communication channels.

26
00:01:12.960 --> 00:01:14.610
As we go through this section,

27
00:01:14.610 --> 00:01:16.440
we will cover many topics

28
00:01:16.440 --> 00:01:20.040
related to the Public Key Infrastructure Architecture,

29
00:01:20.040 --> 00:01:22.530
including Certificate Management,

30
00:01:22.530 --> 00:01:24.480
Certificate Authority Functions,

31
00:01:24.480 --> 00:01:28.230
Certificate Validation, and Certificate Deployment.

32
00:01:28.230 --> 00:01:31.380
First, we will look at Certificate Management.

33
00:01:31.380 --> 00:01:34.410
Certificate management is the process of issuing,

34
00:01:34.410 --> 00:01:38.400
renewing, revoking, and managing digital certificates

35
00:01:38.400 --> 00:01:39.990
throughout their lifecycle.

36
00:01:39.990 --> 00:01:41.910
Certificate management concepts

37
00:01:41.910 --> 00:01:45.720
include certificate types and certificate extensions.

38
00:01:45.720 --> 00:01:48.480
Certificate types refer to various forms

39
00:01:48.480 --> 00:01:50.010
of digital certificates,

40
00:01:50.010 --> 00:01:54.240
such as transport layer security or TLS certificates,

41
00:01:54.240 --> 00:01:57.780
client certificates and code signing certificates.

42
00:01:57.780 --> 00:02:00.870
Each type of certificate serves a different purpose

43
00:02:00.870 --> 00:02:03.660
within the public key infrastructure framework.

44
00:02:03.660 --> 00:02:07.740
Certificate extensions are fields in a digital certificate

45
00:02:07.740 --> 00:02:09.180
that provide information

46
00:02:09.180 --> 00:02:11.820
about the certificate's intended usage.

47
00:02:11.820 --> 00:02:15.022
For example, a Transport Layer Security certificate

48
00:02:15.022 --> 00:02:17.130
might include a field

49
00:02:17.130 --> 00:02:20.610
called a Subject Alternative Name or SAN

50
00:02:20.610 --> 00:02:22.350
that allows the certificate

51
00:02:22.350 --> 00:02:26.340
to apply to a multitude of domains or subdomains.

52
00:02:26.340 --> 00:02:29.580
Next, we will explore Certificate Authority

53
00:02:29.580 --> 00:02:31.500
or CA functions.

54
00:02:31.500 --> 00:02:33.450
Certificate Authority functions

55
00:02:33.450 --> 00:02:35.760
include issuing, managing,

56
00:02:35.760 --> 00:02:39.180
revoking, and validating digital certificates

57
00:02:39.180 --> 00:02:41.550
to ensure trust and communications.

58
00:02:41.550 --> 00:02:44.760
Applying certificate authority function concepts

59
00:02:44.760 --> 00:02:46.680
requires a good understanding

60
00:02:46.680 --> 00:02:50.130
of Certificate Authorities and Registration Authorities.

61
00:02:50.130 --> 00:02:52.950
Certificate Authorities are trusted entities

62
00:02:52.950 --> 00:02:56.700
responsible for generating and signing digital certificates,

63
00:02:56.700 --> 00:03:00.420
thereby establishing the identity of certificate holders

64
00:03:00.420 --> 00:03:03.210
within the Public Key Infrastructure framework.

65
00:03:03.210 --> 00:03:04.860
A Root Certificate Authority

66
00:03:04.860 --> 00:03:07.590
is a special type of Certificate Authority

67
00:03:07.590 --> 00:03:09.450
that is the top most authority

68
00:03:09.450 --> 00:03:12.300
in a Public Key Infrastructure hierarchy.

69
00:03:12.300 --> 00:03:15.150
Root Certificate Authorities are trusted to issue

70
00:03:15.150 --> 00:03:17.220
and sign digital certificates,

71
00:03:17.220 --> 00:03:18.870
including their own,

72
00:03:18.870 --> 00:03:21.180
and they serve as the foundation

73
00:03:21.180 --> 00:03:23.820
for all subsequent trust relationships

74
00:03:23.820 --> 00:03:25.500
in the certificate chain.

75
00:03:25.500 --> 00:03:28.680
Registration Authorities act as intermediaries

76
00:03:28.680 --> 00:03:32.250
between the end users and the Certificate Authorities.

77
00:03:32.250 --> 00:03:35.160
Registration Authorities may perform tasks,

78
00:03:35.160 --> 00:03:38.880
such as verifying the identity of certificate requesters

79
00:03:38.880 --> 00:03:42.570
before a certificate is signed by a Certificate Authority.

80
00:03:42.570 --> 00:03:44.820
For example, if an organization

81
00:03:44.820 --> 00:03:48.150
requests a Transport Layer Security certificate,

82
00:03:48.150 --> 00:03:49.830
a Registration Authority may

83
00:03:49.830 --> 00:03:52.260
verify the organization's details.

84
00:03:52.260 --> 00:03:54.480
Upon successful verification,

85
00:03:54.480 --> 00:03:56.070
the Registration Authority

86
00:03:56.070 --> 00:03:59.550
will vouch for its findings to a Certificate Authority.

87
00:03:59.550 --> 00:04:03.180
The Certificate Authority may then issue the certificate.

88
00:04:03.180 --> 00:04:06.390
After that, we will look at Certificate Validation.

89
00:04:06.390 --> 00:04:07.710
Certificate validation

90
00:04:07.710 --> 00:04:10.440
within the Public Key Infrastructure architecture

91
00:04:10.440 --> 00:04:13.860
ensures that a digital certificate remains trustworthy,

92
00:04:13.860 --> 00:04:17.130
is unexpired and has not been revoked.

93
00:04:17.130 --> 00:04:19.140
Certificate validation concepts

94
00:04:19.140 --> 00:04:23.400
include Online Certificate Status Protocol Stapling,

95
00:04:23.400 --> 00:04:27.510
the Certificate Revocation List, and Certificate Pinning.

96
00:04:27.510 --> 00:04:29.910
Online Certificate Status Protocol

97
00:04:29.910 --> 00:04:34.170
or OCSP Stapling is a method of validation

98
00:04:34.170 --> 00:04:38.250
that requires a server to provide a digitally signed proof

99
00:04:38.250 --> 00:04:41.790
of its certificate's validity directly to the client.

100
00:04:41.790 --> 00:04:42.840
In this way,

101
00:04:42.840 --> 00:04:45.570
Online Certificate Status Protocol Stapling

102
00:04:45.570 --> 00:04:46.950
removes the need

103
00:04:46.950 --> 00:04:50.610
for a client to query a certificate authority directly

104
00:04:50.610 --> 00:04:52.500
to validate a certificate.

105
00:04:52.500 --> 00:04:56.640
Next, a Certificate Revocation List or CRL

106
00:04:56.640 --> 00:04:59.910
is a list maintained by a Certificate Authority

107
00:04:59.910 --> 00:05:02.520
that contains the serial numbers of certificates

108
00:05:02.520 --> 00:05:06.090
that have been revoked before their expiration dates.

109
00:05:06.090 --> 00:05:07.110
In this way,

110
00:05:07.110 --> 00:05:09.150
a Certificate Revocation List

111
00:05:09.150 --> 00:05:10.410
also allows clients

112
00:05:10.410 --> 00:05:13.380
to determine if a certificate is still valid.

113
00:05:13.380 --> 00:05:15.750
Finally, Certificate Pinning

114
00:05:15.750 --> 00:05:19.620
involves storing a known valid certificate or public key

115
00:05:19.620 --> 00:05:21.000
in an application.

116
00:05:21.000 --> 00:05:22.410
During a connection,

117
00:05:22.410 --> 00:05:25.170
an application can compare the stored certificate

118
00:05:25.170 --> 00:05:28.920
or key against the one presented by the server.

119
00:05:28.920 --> 00:05:31.470
If they match, trust is established

120
00:05:31.470 --> 00:05:33.990
and the presented certificate is accepted.

121
00:05:33.990 --> 00:05:37.260
For example, when a user connects to a website,

122
00:05:37.260 --> 00:05:40.170
Online Certificate Status Protocol stapling

123
00:05:40.170 --> 00:05:43.800
allows the server to prove that its certificate is valid.

124
00:05:43.800 --> 00:05:44.760
Meanwhile,

125
00:05:44.760 --> 00:05:48.270
the client may consult a Certificate Revocation List

126
00:05:48.270 --> 00:05:51.060
to ensure the certificate hasn't been revoked,

127
00:05:51.060 --> 00:05:53.010
and use certificate pinning

128
00:05:53.010 --> 00:05:55.230
to confirm the presented certificate

129
00:05:55.230 --> 00:05:57.150
matches an expected value.

130
00:05:57.150 --> 00:06:00.360
Utilizing multiple methods of certificate validation

131
00:06:00.360 --> 00:06:03.390
results in layering multiple validation mechanisms

132
00:06:03.390 --> 00:06:04.680
for better security.

133
00:06:04.680 --> 00:06:07.860
Finally, we will look at Certificate Deployment.

134
00:06:07.860 --> 00:06:10.830
Certificate deployment involves the distribution

135
00:06:10.830 --> 00:06:14.190
and installation of digital certificates across systems

136
00:06:14.190 --> 00:06:17.520
and devices to enable secure communications.

137
00:06:17.520 --> 00:06:21.210
Certificate deployment concepts include template use,

138
00:06:21.210 --> 00:06:24.540
deployment approach, and integration approach.

139
00:06:24.540 --> 00:06:27.660
Templates are predefined configurations

140
00:06:27.660 --> 00:06:29.190
that standardize the settings

141
00:06:29.190 --> 00:06:31.350
and permissions of certificates.

142
00:06:31.350 --> 00:06:34.470
Templates make the deployment process more efficient

143
00:06:34.470 --> 00:06:38.220
by ensuring consistency across issued certificates.

144
00:06:38.220 --> 00:06:40.710
Next, the term deployment approach

145
00:06:40.710 --> 00:06:43.140
refers to the method used to distribute

146
00:06:43.140 --> 00:06:45.990
and install certificates across servers,

147
00:06:45.990 --> 00:06:50.250
client machines, network devices, and applications.

148
00:06:50.250 --> 00:06:51.720
A deployment approach

149
00:06:51.720 --> 00:06:54.960
may include manual certificate installation

150
00:06:54.960 --> 00:06:58.740
or automated processes using management tools.

151
00:06:58.740 --> 00:07:01.470
Finally, the integration approach describes

152
00:07:01.470 --> 00:07:05.460
how certificates are incorporated into existing systems.

153
00:07:05.460 --> 00:07:07.920
Incorporation includes the setup

154
00:07:07.920 --> 00:07:09.840
of the necessary infrastructure

155
00:07:09.840 --> 00:07:12.090
to support secure communications,

156
00:07:12.090 --> 00:07:15.150
such as configuring email servers

157
00:07:15.150 --> 00:07:19.800
to use Secure/Multipurpose Internet Mail Extensions

158
00:07:19.800 --> 00:07:21.870
or S/MIME certificates

159
00:07:21.870 --> 00:07:26.040
for encrypting and signing emails or configuring web servers

160
00:07:26.040 --> 00:07:28.954
to present Transport Layer Security certificates.

161
00:07:28.954 --> 00:07:33.090
For example, an organization might use a template

162
00:07:33.090 --> 00:07:37.350
to define a standard Transport Layer Security Certificate.

163
00:07:37.350 --> 00:07:39.450
Automate the deployment of these certificates

164
00:07:39.450 --> 00:07:41.220
across multiple servers,

165
00:07:41.220 --> 00:07:44.160
and integrate them into their web infrastructure

166
00:07:44.160 --> 00:07:47.310
to ensure all servers are secured consistently

167
00:07:47.310 --> 00:07:48.660
and efficiently.

168
00:07:48.660 --> 00:07:50.070
To finish things off,

169
00:07:50.070 --> 00:07:51.630
we will take a short quiz

170
00:07:51.630 --> 00:07:54.540
to see what you learned during this section of the course,

171
00:07:54.540 --> 00:07:58.200
and we will review each of those quiz questions fully

172
00:07:58.200 --> 00:08:01.500
to ensure you can explain why the right answers were right

173
00:08:01.500 --> 00:08:03.270
and the wrong answers were wrong.

174
00:08:03.270 --> 00:08:05.010
So, let's get ready

175
00:08:05.010 --> 00:08:08.126
to dive into Public Key Infrastructure Architecture

176
00:08:08.126 --> 00:08:10.787
in this section of the course!