CompTIA Security+ Exam Notes

CompTIA Security+ Exam Notes
Let Us Help You Pass

Sunday, April 19, 2020

Certificates - PKI (Public Key Infrastructure)

Types of Certificates

Self-signed: This type of certificate is owned by the server that signed it. They will be untrusted inside an organization until the certificate is imported into the machine attempting to access the server,

Root: Identifies the CA (Certificate Authority). There is no other authority higher than the root, therefore its certificate must be self-signed.

User: There are certificate templates for standard users, administrators, recovery agents, smart card logon, etc.

Email: These are used for digital signature and the encryption/decryption of emails. Emails can be referred to as messages or electronic messages.

Code-signing certificates: These are used with software/applications to validate the end-user the integrity of the product.

Domain Validation (DV): This proves the ownership for a domain. Not the most secure method as it is vulnerable to compromise.

Extended Validation (EV): A thorough check is required to validate the ownership of the domain. This is also the most trusted certificate. EV protects against phishing attacks. 

Subject Alternative Name (SAN): Some organizations own multiple domains and may choose to combine them into one certificate. 
google.com
google.ca
android.com
youtube.com
Above are just a few of the domains Google owns. These can be combined into one certificate, making this certificate a SAN. If the company adds another domain after the certificate has been issued, they will need to purchase a new certificate.

Below is another example of when you would use a SAN certificate. If the organization installed three different web servers and the certificate needed to match the hostname, it would need a SAN certificate.
sales.example.com
info.example.com
training.example.com
In this case, the hostnames for the above are as follows: "sales", "info", and "training". 

Wildcard: The Wildcard certificate will protect all first-level sub-domains as long as they belong to the same domain. This reduces the burden of an administrator have to account for a certificate for each sub-domain.

research.practice.com
marketing.practice.com
dallas.practice.com
chicago.practice.com
seattle.practice.com

The five above all belong to the same domain, so instead of five certificates, one could be purchased:

*.practice.com

X.509 Certificate: What you need to know
Hashed with SHA
Encrypted with RSA
The entity that issued the certificate
The entity that the certificate was issued to
The validity date: from and to

No comments:

Post a Comment