An ongoing & curated collection of awesome software best practices and techniques, libraries and frameworks, E-books and videos, websites, blog posts, links to github Repositories, technical guidelines and important resources about Public Key Infrastructure (PKI) in Cybersecurity.
Thanks to all contributors, you're awesome and wouldn't be possible without you! Our goal is to build a categorized community-driven collection of very well-known resources.
Public-key infrastructure (PKI) is what makes internet encryption and digital signatures work. When you visit your bank website you are told it is encrypted and verified.
Before we talk about what exactly PKI is, we need to talk about public-key cryptography. Public-key cryptography is a type of cryptography that uses asymmetric encryption which is a type of encryption that uses multiple keys. Public-key cryptography has a private key, and a public key. Both keys can encrypt data, but the public key can only decrypt data encrypted by the private key. The public key can also not be easily derived from the private key.
If two people exchange public keys with each other, they can talk to each other securely. They do this by encrypting messages with their own private key as well as the other person’s public key. There is one big question: how do these people exchange public keys securely? If they send them via an insecure channel, someone could intercept the keys, and substitute in their own, different keys. Each person would think they were talking directly with the other, when, in fact, they were both now talking to an attacker.
- Public-key cryptography can create secure channels of communication, but it requires an existing secure channel to exchange keys.
This is the problem that PKI aims to solve. PKI’s most basic purpose is to securely distribute and manage public keys.
- It does this using trusted third parties who verify the authenticity of public keys and then use their own private keys to digitally sign the public keys. That way, even if the key is not encrypted and has to be sent over cleartext, we will still be able to verify that the key is trusted by the third party.
PKI takes advantage of the fact that information encrypted with a private key can be decrypted by anyone with the corresponding public key. This is used to create digital certificates vouching for the authenticity of a given public key. The third-parties who verify the authenticity are known as certificate authorities, or CAs for short.
You may have noticed this doesn’t actually solve the problem of securely exchanging public keys... it just moves it! We still need some way to securely get the certificate authority’s public key. For this reason, there are hierarchies of certificate authorities, with root CAs at the top of the hierarchy.
When we install an operating system on a device, that operating system comes with the certificates for root CAs already installed on it. Our computer uses these certificates to determine which root CAs it can trust, and, from there, follows the chain of trust until it is able (or unable) to verify the authenticity of the public key for, say, a website.This system isn’t perfect. There have been cases of computer manufacturers installing additional root CAs on computers without informing customers, for the purpose of distributing ads. There have also been instances of certificate authorities having their private keys compromised. For these reasons, PKI usually has additional security features.
Certificate Revocation is the ability for certificate authorities to revoke certificates, essentially saying "we no longer verify the legitimacy of this private key." Certificates also expire after a set amount of time and must be renewed. Certificate pinning is when a computer or software remembers what certificate a given entity (usually a website) uses. Even if a CA is compromised and maliciously issues certificates for that entity, they won’t match the saved certificate and won’t be accepted.
Well, pretty much every website we use, for one thing! The github.com domain, for example, has a SSL certificate that proves it’s the real website and not an impostor. That certificate is signed by a certificate authority, and follows a chain of trust back to a certificate that’s on our computer somewhere. When we connect to codecademy.com via HTTPS, our browser requests Codecademy’s certificate and uses it to verify the legitimacy of the server before establishing a secure connection.
While we usually talk about PKI in the context of web security, it comes in handy any time we need a system to exchange public keys and verify their authenticity. PKI can be used for wireless network security, multi-factor authentication, file-sharing, remote connection protocols, email security, digitally signing documents, and more!
PKI is an essential technology for modern security, serving as a foundation for modern web security. While PKI can seem intimidating at first, it isn’t as hard to understand once we see what problems it tries to solve, and know about the cryptographic principles that make it work. Not everyone needs to know the technical details of how PKI works, but it’s something that everyone in cybersecurity should have a basic knowledge of.
An X.509 PKI is a security architecture that uses well-established cryptographic mechanisms to support use-cases like email protection and web server authentication. In this regard it is similar to other systems based on public-key cryptography, for example OpenPGP [RFC 4880]. In the realm of X.509 however, and thanks to its roots in a globe-spanning scheme devised by the telecom industry [X.400], these mechanisms come with a fair amount of administrative overhead.
One thing to keep in mind is that X.509 is not an application, but a specification upon which applications like Secure Multipurpose Internet Mail Extensions (S/MIME) and Transport Layer Security (TLS) are based. The building blocks are very generic and derive most of their meaning from the relations that exist/are established between them. It’s called an infrastructure for a reason.
Security architecture where trust is conveyed through the signature of a trusted CA.
Entity issuing certificates and CRLs.
Entity handling PKI enrolment. May be identical with the CA.
Public key and ID bound by a CA signature.
Request for certification. Contains public key and ID to be certified.
List of revoked certificates. Issued by a CA at regular intervals.
Document describing structure and processes of a CA.
- Root CA
CA at the root of a PKI hierarchy. Issues only CA certificates.
- Intermediate CA
CA below the root CA but not a signing CA. Issues only CA certificates.
- Signing CA
CA at the bottom of a PKI hierarchy. Issues only user certificates.
Certificate of a CA. Used to sign certificates and CRLs.
Self-signed CA certificate at the root of a PKI hierarchy. Serves as the PKI’s trust anchor.
CA certificate issued by a CA external to the primary PKI hierarchy. Used to connect two PKIs and thus usually comes in pairs. [1]
End-entity certificate issued for one or more purposes: email-protection, server-auth, client-auth, code-signing, etc. A user certificate cannot sign other certificates.
- Privacy Enhanced Mail (PEM)
Text format. Base-64 encoded data with header and footer lines. Preferred format in OpenSSL and most software based on it (e.g. Apache mod_ssl, stunnel).
- Distinguished Encoding Rules (DER)
Binary format. Preferred format in Windows environments. Also the official format for Internet download of certificates and CRLs.
The examples are meant to be done in order, each providing the basis for the ones that follow. They are relatively low on prose, we prefer to let the configuration files and command lines speak for themselves.
You will find a reference section at the bottom of each page, with links to relevant parts of the OpenSSL documentation. Please use these links for details on command line options and configuration file settings.
- We recommend at least OpenSSL 3.0.5. Check with:
The examples are designed to be simple, consistent, complete, and reproducible. They are not meant to showcase the latest trends in PKI design nor do they explore every last feature of OpenSSL. Rather, they can serve as templates for you to modify and extend when creating your own PKIs.
- In this example we create the simplest possible PKI: One root CA and one signing CA. We use the PKI to issue email-protection and TLS-server certificates. For further understanding, please see here
- In this example we create a larger setup, consisting of a root CA and three signing CAs. We use the PKI to issue email-protection, TLS-server, TLS-client, and code-signing certificates. We encounter two new certificate extensions: authorityInfoAccess and crlDistributionPoints. For further understanding, please see here
- In this example we create a 3-tier CA hierarchy: One root CA, one intermediate CA, and two signing CAs. We use the PKI to issue identity & encryption certificates to end-users, as well as TLS-server, TLS-client, time-stamping, and OCSP-signing certificates to network components. We introduce the subjectInfoAccess and certificatePolicies extensions. We also show how to work with OCSP responders. For further understanding, please see here
The organizations behind the browser and the operating system development maintain the most widely used collections of up-to-date certificate authority certificates.
Root programs keep the list up-to-date and work together on the process standardization.
Chrome Root Program
Mozilla's CA Certificate Program
Apple Root Certificate Program
Microsoft Trusted Root Certificate Program
The Common CA Database (CCADB) - managed by Mozilla, supported by Microsoft & Google
Everything you Never Wanted to Know about PKI but were Forced to Find Out (PDF) - by Peter Gutmann
PKI: It’s Not Dead,Just Resting (PDF) - Peter Gutmann
X.509 Style Guide - by Peter Gutmann
SSL/TLS and PKI History - Feisty Duck
How to build your own public key infrastructure - The Cloudflare Blog
Everything you should know about certificates and PKI but are too afraid to ask - Smallstep Labs blog
Path Building vs Path Verifying: The Chain of Pain
Certificate Transparency: a bird's-eye view
Key Management Cheat Sheet, OWASP
Certificate Policy and Certification Practice Statement documents for ISRG / Let's Encrypt
Checklist on building an Offline Root & Intermediate Certificate Authority (CA) - Stack Overflow
Certificate Authority with a YubiKey
Get started with the Nitrokey HSM or SmartCard-HSM
PKI maturity model - by PKI Consortium
PKI Posters - Posters by Carl Mehner about the entire lifecycle of an SSL certificate
Why I don't like smartcards, HSMs, YubiKeys, etc. - Hacker News
The Untold Story of PKCS#11 HSM Vulnerabilities - Cryptosense
A survey of Hardware Crypto Devices (PDF) - cryptotronix
Linux smart cards (OpenSC) - How-to - Cédric Dufour blog
Key Management and use cases for HSMs - Cryptomathic
What is Key Management? a CISO Perspective - Cryptomathic
The Definitive Guide to Encryption Key Management Fundamentals - Townsend Security
Example of an IANA DNSSEC signing ceremony - not x509, but describes the procedure of a serious key ceremony
Security Concepts, Subsection 28.9: Key Management - blog of Travis
NIST Key Management Guidelines
NIST Cryptographic Module Validation Program
Commercial Cryptographic Key Management in 2018
Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications, Ivan Ristić
Cryptography Engineering: Design Principles and Practical Applications, Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno
Security Engineering, The Second Edition (2008) - Chapter 21: Network Attack and Defence, Ross Anderson
Encyclopedia of Cryptography and Security, Henk C.A. van Tilborg
Architecture for Public-Key Infrastructure (APKI), The Open Group Guide, 1999
Is the Web Ready for OCSP Must-Staple? (PDF)
The First Ten Years of Public-Key Cryptography - Whitfield Diffie (PDF)
Hackable Security Modules: reversing and exploiting a FIPS 140-2 lvl3 HSM firmware - video, PDF
PKI Bootcamp by Paul Turner - Playlist
How to be a Certificate Authority, feat. Ryan Sleevi - Security. Cryptography. Whatever. podcast
Fundamental X.509 PKI in Theory and OpenSSL (Cyrill Gössi) - Playlist
Software | pkcs11 support | ACME support | Notes |
---|---|---|---|
Let's Encrypt Boulder | yes | yes | not much documentation, no commercial support |
step-ca | yes | yes | cloud-ready CA with the commercial support |
EJBCA | yes | yes | $$$$ commercial support |
Dogtag Certificate System | yes | yes | n/a |
HashiCorp Vault PKI backend | no (only enterprise?) | no | API based CA |
CFSSL | no | no | PKI toolkit with an API |
easy-rsa | no | no | easy-rsa - Simple shell based CA utility |
OpenSSL Certificate Authority | yes | no | shell based CA leveraging OpenSSL |
XCA | yes | no | Certificate authority with a comprehensive GUI |
MIT License & cc license
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.
To the extent possible under law, Paul Veillard has waived all copyright and related or neighboring rights to this work.