PKI Bootcamp - What is a PKI?
ฝัง
- เผยแพร่เมื่อ 17 มิ.ย. 2024
- A PKI (public key infrastructure) is often confused with a CA (certificate authority) but it is much more than that. A PKI includes all of the components required to enable the use of certificates. Because of this, it represents the attack surface an attacker can exploit when attempting to leverage certificates and keys in their attacks.
![จังหวะนี้ - เม้ก อภิสิทธิ์ [ Official MV ] จอนนี่มิวสิค](http://i.ytimg.com/vi/4gQRZCkRyiU/mqdefault.jpg)
you explained the PKI smoothly and using words that can reach casual, beginner and expert
greetings from indonesia
I really appreciate the feedback, Raki. Greetings to you in Indonesia! I never imagined that my videos would reach so far around the world. It was a heartwarming greeting from you.
Paul, you really have the talent to explain complex topics in an easy way, and your slides are awesome.
Thank you for your kind words, Erick. I’m very glad you liked the presentation and appreciate you taking the time to comment.
Very clear and very agreeable to watch and listen to in all respects. I look forward to more of these ten-minute jewels.
Glad you liked it, Joost. I’m hoping to get another video done in a few weeks.
This - is - awesome! The creme de la creme of explanations here! Thank you very much for the work!
Wow! Thank you very much for the feedback.
I have been reading about these concepts for a few days now, your video really helped me connect the dots. Thanks a lot. Beautifully explained.
You put a big smile on my face, Ranjan. Thanks for your comment.
One of the best PKI explanations on TH-cam. A true reflection of the real world scenario.
I’m glad you liked it. Thanks for the feedback.
After an hour of reading about PKI, trying to understand it and failing, I finally have a grasp on this now. Thank you, Paul!
Easy to understand and a really great explanation Paul, i can't thank you enough for this
SkillexeD, I'm really glad you like it. That means a lot to me. Thanks.
wrg
This is probably one of the best explanations of Public Key Infrastructure. Great Job. I'll be sure to share this video.
I’m very glad you liked it, Mark. Thanks for the positive feedback!
Great video on PKI Sir Paul, concise and informative. The best I have seen so far.
Thank you very much, Yanick.
The best, easiest and detailed explanation for beginners to the expert.
Thank you for making such great video.
Thanks for the kind comment, Salakh. I really appreciate it.
These presentations are very very helpful, Paul. I was looking for an easy explanation of PKI certificate issuance and verification and your presentations were jackpot for me.
I'm very glad to hear that, Arkadeep. Thank you for the feedback.
This is a well-explained video about PKI since I'm on a journey for my CISSP cert. Thanks, Paul!
Good luck on your CISSP, John. I’m glad you found it helpful. Thanks for the feedback.
Excellent presentation and clarity. Thank you!
Thank you very much for the positive feedback, Alethea. I really appreciate it!
Hey Paul,
your video makes a lot of sense.
Well framed and explained.
Thanks.
Thank you for the feedback, Afnaan. I’m glad it makes sense.
This is a great video. It clarified so much for me. Thanks Paul!
I’m so glad to hear that, Ajay. I appreciate you taking the time to comment.
Thank you for this explanation! Lots of other videos seem to rush through this topic.
Well, I guess if we’re going to have a Hawaiian soul (reference to your great screen name), we definitely don’t want to rush it ;-). Thanks a bunch for the kind feedback.
I just want to hug you and say thank you. Awesome. Bravo
Was doing some research on post-quantum cryptography. How have I never come across this video before or your channel? I watched it for nostalgia's sake. Loved it! Glad to see it has gotten so many views.
Hey, Aaron. Great to hear from you. Coming from a person who could teach the topic much better than me, that means a lot.
This is such a nice explanation! Thank you!
I been studying PKI for the past 3 weeks for an upcoming exam and I have struggled to grasp it, I watched this video and I instantly understood the basics of the concept. Thank you for this
Paul, you put a big smile on my face when I read your note. I apologize for being slow in responding. I'm glad the video was helpful!
Why is this video so well put together?
Awesome, thanks !! it is a good help for me to understand the PKI this better
Thank you for taking the time to leave a comment, Naresh. I’m glad it was helpful.
Outstanding video... thank you!
Todd, thanks for taking the time to give your feedback. I really appreciate it.
Your PKI videos really helped me think through my science fiction writing. Thanks!
Haha. I’m not sure how to take that. I hadn’t been shooting for fiction on the videos but must have made quite an impression with my delivery to inspire your sci-fi writing 😃
Where can I read your sci-fi novel ?
Great! Thank you for taking the time.
Thank you for taking the time to send me a comment, Felipe. I'm glad you found it helpful.
great explanation Paul. easy to understand and precise.
Thank you very much for the feedback, Shashank. I really appreciate it. I’m glad it was helpful.
@@PaulTurnerChannel was searching this topic for the first time and glad I landed directly on this. you explained the entire architecture very well. Thanks again. stay safe.
Thank you so much. The video was very helpful.
Thank you for taking the time to give me your feedback. I’m really happy to hear it was helpful.
Great video you explained it so well.
OMG I love your videos thank you so much.
Thank you for your enthusiastic feedback. Comments like this make my day, Mason.
great content explained in a simple way!
Thank you for the feedback, Lokesh. I’m glad it was understandable.
Thanks a lot it really helped me to clear my vision Greeting from north Africa
Doudi, you put a big smile on my face with your greeting. Though the internet is clearly global, I frankly never anticipated that the videos I was creating would be viewed from so many different continents and countries. I’m glad you found the video helpful. Thank you so much for reaching out from half way around the world ;-)
Better than any lecture on this topic, thanks so much, very, very good video
Could you probably recommend some sources/books/papers/articles? You made me curious, i'd love to read more about it
Thank you very much for the feedback, Mathias. I wish I could point you to something I've read but I started in PKI a long time ago and, having learn most of what I know on the job, haven't kept up with book much. However, I can strongly recommend you looking at Ivan Ristic's book "Bulletproof SSL and TLS". He's very knowledgeable in this space. I also believe there is some other guidance that will be coming out soon and will give you a heads up when it hits the street.
@@PaulTurnerChannel t
Thank you Paul!
Outstanding! Thank You
Thank you very much for your feedback, Jason!
Easy to understand.. thanks paul
Thank you, Abhishek.
Thanks Paul!
@paul many thanks for making it so easy to understand ! Did you many any explaining private CA and how they work?
I have already found one of your video on x.509
Thank you for this.
You are very welcome, Josh. I hope it was helpful.
OMG! I'm studying for the Security + exam and this video has helped me understand CRL, Root, and OCSP. Thank you for making this video
Mecca, I’m so glad you found the video helpful. Good luck on your exam. I’m sure you will do great.
thank you from France
:-)
Merci pour votre note. Ça m'a fait un grand sourire. Vive la France!
Thank you.
Thank you for taking the time to leave a comment, Paul!
Thanks a lot.
Very nice video. Thank you.
I appreciate the feedback. I have to say that I didn’t expect that particular video to be as well received and helpful as it appears to be. I’m glad it is helpful!
@@PaulTurnerChannel No problem. I learn a lot from TH-cam and this was great. If I may ask a follow-up question (since you responded so quickly). I'm also trying to learn about HSM's and my main/basic question is: Can an HSM be a CA as well or are they traditionally/always separate systems?
A CA would use an HSM to secure its signing key but you would likely not want an HSM to BE a CA. The reason is that HSMs must conform to a standard called FIPS 140, which is very restrictive and requires retesting for certification when changes are made to the internal code. HSMs typically perform a limited number of functions (key gen, signing, etc.) and therefore have a smaller code base and don’t require frequent changes/updates. On the other hand, CAs typically have large amounts of code and need updating frequently with new functionality to respond to changing market needs. The size of CA code would significantly extend testing/certification times and the retesting for certification would slow down the ability to get new features out. Consequently, most CAs have not been built into HSMs and instead use them as a security resource to protect their signing keys. Hope this makes sense.
@@PaulTurnerChannel Perfect. Much appreciated!!!!!
Thanks for that man.
Thank you, BTC. I appreciate you taking the time to comment. Glad it was helpful.
thank you for the great explanation , but may I ask what is the currently used method to check for validity of certificates ? from what I understand it's what we call ocsp stapling which you didn't talk about
Hi, Rachell. Thanks for pointing that out. This is an older video and I didn’t include OCSP stapling. It has become much more widely used. I appreciate you bringing it up.
Smooth like butter
Thank you, Sanskar.
excellent video
Thanks for the feedback. I appreciate it.
Thank you
Thank you for taking the time to comment, Houssem.
Great video! I have PKI infrastructure in place from a previous engineer. I need to setup EAP+TLS for radius wireless, where can i get a private cert? GoDaddy? Or can the Root CA generate one?
Hi, Daniel. Sorry for the slow response. Your internal PKI infrastructure should have an issuing CA. That is where you want to issue the EAP-TLS Cert from. If you only have a root CA, you should strongly consider setting up a new issuing CA (and possibly a new root, since the existing root would have gotten lots of exposure if it was issuing end entity certs (e.g., TLS certs)). I hope this helps.
Very good intro to certs.
Thank you very much for the feedback, Lee. I’m glad it was helpful b
Paul, great explanation, is there any way I can get this powerpoint file to present in my class on my own language?
Vitor, let me look into this. Those slides are technically owned by Venafi, the company I used to work for. I'll check with them. It may take me a bit to get back to you. I appreciate the feedback.
This is by far the best video on this topic I have come across.. 🙂 I am glad that I have found it .. Paul any thoughts on browser vs server certificate? Will love to see ur explanation..
I appreciate you saying that, Prakash. Can you clarify your question about browser (client) vs server certificates? Are you asking about when client certificates should be used or some other aspect? Thanks for your question. Sorry for not understanding it.
@@PaulTurnerChannel thanks for your reply.. I was referring to sever to server vs browser to server communication .. behavioural difference between these two type of communication... though I really appreciate ur reply.. Thanks
Prakash, your question is a little broad so I'm not sure I'll be answering what you're inquiring about. With respect to server-to-server (S2S) vs. browser-to-server (B2S), there are no differences in the TLS protocol or the TLS server certificates used in both cases. The primary difference I see between the two is how they will respond to errors.
For example, with S2S, the server acting as a client will shutdown the TLS connection and log an error if an expired certificate or name mismatch is encountered. The application served by the S2S communications will stop operating at that point. With B2S, the browser will display an error for the user when an expired certificate is encountered. The user is free to make a choice on how they respond (click through or abandon). The browser manufacturers have made their errors more stern and difficult to dismiss so users are less likely to click through the error but it is not impossible. If they don't click through, they will likely try to contact support for the application (since they can't get to it).
The reason I raise this difference (again, not knowing if this is what you were looking for) is that the situation is subtly but importantly different between the two. In the S2S case, someone has to dig through log files to figure out why the application stopped working. In the B2S case, it is pretty clear from the error messages displayed in the browser what happened (especially, if the support person tries to connect to the server and they get the error message). I've heard of organizations troubleshooting S2S expired certificate issues for several hours before they figure out what happened. If there are multiple clustered systems acting as servers and there is only an expired certificate on one (e.g., the others were updated), this can make it even more difficult to troubleshoot because you have a load balancer spreading clients across the clustered servers and it only fails intermittently.
As I write this, I realize I'm probably way off from what you were interested in. If so, can you please restate your question? It doesn't appear that you were asking about client TLS certs and the difference between servers acting as clients and browsers. I'm sorry if I'm being slow on this.
@@PaulTurnerChannel thanks!! for the detailed explanation.. that pretty much explained my question..🙂
Very helpful 👍👍👍❤️❤️
I’m very happy to hear it was helpful, Chandu!
Finally, I can understand PKI
I’m glad it was helpful, Costin. Thank you for the feedback.
Hi Paul,
Thank you for explaining this subject. Is it possible to find out the RA and VA from the website digital certificate?
Hi, Thomas. Thanks for your question. You cannot determine the RA from the certificate unless the CA chooses to add a proprietary extension (I'm not aware of any standard extensions that list the RA but may have missed it).
From the certificate, you can determine the certificate authority (CA), the CRL distribution point (CDP), OCSP responder location, and the location where the CA chain can be retrieved (CA Issuers). I hope this helps.
I'm curious. Why would you want to determine the RA from the certificate as a relying party? I'm not sure what a VA is. Again, I may have missed that term in my travels so feel free to enlighten me.
Thanks a bunch for the question
Awesome
Thank you for the feedback. I’m glad you liked it.
I thought the diagram you used to describe the whole process was very useful. I was just wondering with what software you used to create it.
Hi, JD. I use PowerPoint to create the graphics and animations. Thanks a bunch for you feedback. I’m glad you liked it.
Hi Paul, this is a very awesome explanation indeed. Thanks for the wonderful lecture. Now can you please implement this scenario in code? Secondly, how you have made these slides, is it PPT or any other software?
Thanks for the feedback, Junaid. The slides were created with PowerPoint.
@@PaulTurnerChannel Thanks for your prompt response. Do you supervise students? How can I reach you privately?
Hi, Junaid. You ca. contact me on LinkedIn with my name and Epuio.
@@PaulTurnerChannel thank you so much, sure I will get in touch with you soon.
Hi Paul, really informative tutorial. I have a question, can you explain the difference between Centralized (CA generates both keys) vs Decentralized (user generates both keys), does the CA digitally sign the Digital Certificate along with the keys and send it to the user? Thank you.
Hi, Val. Good question. If you have the CA centrally generate the key pair, the user will provide their information for inclusion in the certificate and the CA will generate the key pair (public and private key), issue a certificate containing the public key, and provide the private key and certificate for download by the user. The private key should be protected by a password when downloaded. In most cases, the private key and password will be provided in PEM or PKCS#12 format (file format of the keystore). Generally, you don't want to have a public CA creating key pairs for you unless you're leveraging the CA as a key escrow/backup service (which only makes sense for things such as email encryption, where you don't want to risk losing all copies of your private key).
With decentralized key generation, the user generates the key pair along with a CSR (which contains the public key). They submit the CSR to the CA. The CA uses the information within the CSR and whatever other information they choose to issue a certificate. The CA returns the certificate back to the user. The user installs certificate and private key in the needed location for the application that will use the them for both centralized and decentralized. I hope this helps.
You are awesome!
Thanks Paul, explained really well. I keep coming back to your videos for references.
would have been great to of seen this for my sec+ test
I guess we’d need a time machine for that MillerTheGreat ;-). Sorry that you didn’t find it before the test. Hope it was helpful nonetheless.
@4:50 - what's the max & min timeframe (using pki best practice as a guide) for a Root-CA and an Issuing-CA?
nice
Thank you!
so if you DDOS all the OCSP you can break large chunks of the internet? :)
Hi, Gilad. Yes, DDOS is a risk with OCSP.
Hello. Can you recommend any ressource for understanding and implementing the underlying architecture and (as well as file organization) of every component in the PKI ecosystem such as CA, Root CA, ..., If were to be established and deployed in a real life insecure infrastructure?
Hi, Mike. Sorry for the slow response. There are a variety of good PKI consulting organizations out there. You might talk with Encryption Consulting (www.encryptionconsulting.com) or Komar Consulting (www.komarconsulting.com). Brian Komar also has written several papers and books. I hope that helps.
@@PaulTurnerChannel Never mind. I am glad, that you took your time to respond. Would you mind, if I message you on youtube? I need a couple of tipps for my current project if you do not mind
No problem, Mike. My primary expertise is in the cert and key mgmt of PKI. There many others better than me at CA deployment and mgmt.
@@PaulTurnerChannel can I have your E-Mail Address? I cannot find any way to communicate with you. I posted my E-Mail here in a comment but it got deleted somehow
@@Mike-kq5yc Sorry for the slow response. Please connect with me on Linkedin at www.linkedin.com/in/equio/.
At 4:11, do you mean giving their "PUBLIC KEY" certificate?
Hi, Prashanth. Good catch. It sounds like I say "root" certificate there (before I even introduce the concept of a root certificate). Yes, I meant to say they provide their own certificate, which is a public key certificate. Thank you for catching that!
@@PaulTurnerChannel Paul, I seriously love your videos and I hope you make more videos where you take complex topics and break them down like this. Thank you x 100. I was just making sure I understood it right. I don't mean to point mistakes. I hope you have a fantastic day!
@@PaulTurnerChannel Your videos will be here forever and help countless folks! Thank you again.
The entire process starts with sally requesting a website by entering a password? Bob tells the CA that the cert is not good anymore? Confusing.
I’m sorry you found it confusing, TD. The portion about Sally is not meant to imply she is requesting a website. She knows she wants to use that particular website and wants to do so securely. The rest of the video explains how the PKI system was designed to support that secure communication. Again, I’m sorry you found the video confusing. I hope you’re able to find information that is helpful to you.
What will happen if some client has copied the certificate of the website and then started being that website because he has the certificate and now this stealing client can host a similar website with this certificate and fooling other loyal clients? :(
In the case you’re mentioning, the attacker would need to steal the private key that matches the certificate (typically installed on the server to which the certificate is assigned). Then they would need to redirect traffic to come to their server instead of the legitimate server. Please see my response to your question about MITM for additional background. I hope this helps.
Pki is the same that Kpi? I have a work about kpi with Power pivot
Marco, I have to confess that I don't understand your question. I have never heard PKI (public key infrastructure) referred to as KPI so I would have to reply that they're not the same. The only time I've heard of KPI for "key performance indicators". That is definitely not the focus of this presentation.
@@PaulTurnerChannel Is the pki related to excel power pivot?
Hi, Marco. No. This presentation is not about Power Pivot in Excel. I hope you find a good resource to help you on that topic. Good luck.
@@PaulTurnerChannel Is mayonnaise an instrument?
Plz speak little loud 🔊 or Inc volume of mike
Sorry, Swagata. That was one of my early videos when I didn’t have a good microphone.
hello, anyone can help me how to installation signserver in Ubuntu server.. urgent
Hi, Dita. I don’t have any experience with SignServer. Are you having trouble with the documentation? Have you tried reaching out to someone on the user forum sourceforge.net/projects/signserver/support ?
@ 3:30 : " ... the software manufacturers putting the relevant certificate authorities in the software" , inaccurate statements
Hi, Silver. I’m confused by your comment. Many operating systems and other software/hardware come preloaded with root certs. Can you clarify?
@@PaulTurnerChannel Hi Paul, they are putting "root certificates" in the software/hardware not "certificate authorities", the certificate authorities are organizations
Ah. You are correct. I didn’t realize I had said that in the video. Good catch.
Pki is(partai komunis indonesian) indonesian communist party in 1948-1965
:-). And all this time I thought it stood for public key infrastructure. I stand corrected. On a serious note, I was not aware of the existence of the PKI in Indonesia. Thank you for broadening my horizons.
BP U PKI
What is pki?: *commie indonesia*
Hello, Sharifah. I wasn’t aware of the PKI in Indonesia. I’m sorry for the overlap. I didn’t pick the name “public key infrastructure”, which results in “PKI” and is a broadly used term in the technology industry. This video is to help technologists understand that technology. I wish you all the best.
Speak up! Max volume and I can still barely hear you.
Sorry, Generic Rocker. This was one of my early videos before I understood the importance of a good microphone. Hopefully, some of my later videos have better sound quality. Thanks for pointing it out. All the best.
Thank you
Thank you for your expressions of appreciation for several videos. I’m very happy you find them useful.