PKI Terms

PKI Terms

Amanda Davis

Public Key Infrastructure (PKI) forms the foundation of modern SSL Certificate security and digital trust systems.

Understanding the key terminology helps organizations implement robust security measures and make informed decisions about their SSL Certificate needs.

Trustico® provides this comprehensive overview of essential PKI concepts to help clarify the complex world of digital security.

Core PKI Components and Concepts

The fundamental building blocks of PKI include public and private key pairs, which work together to enable secure communications.

A public key can be freely distributed while its corresponding private key must remain securely protected by the owner. This asymmetric encryption system allows SSL Certificates to function effectively for securing web communications.

Certificate Authorities (CAs) serve as trusted third parties that validate and issue SSL Certificates. These organizations follow strict industry guidelines and security practices to maintain the integrity of the PKI ecosystem.

When a CA issues an SSL Certificate, they are essentially vouching for the legitimacy of the SSL Certificate holder.

A Certificate Signing Request (CSR) represents the first step in obtaining an SSL Certificate. This encoded file contains the applicant organization information and public key, which the CA uses to generate the final SSL Certificate.

Creating a properly formatted CSR is crucial for successful SSL Certificate issuance.

Authentication and Validation Terms

Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV) represent the three main types of SSL Certificate validation levels.

Each level requires progressively more thorough verification of the requesting organization identity before an SSL Certificate can be issued.

The Common Name (CN) refers to the fully qualified domain name that the SSL Certificate will secure. For wildcard SSL Certificates, the Common Name includes an asterisk to indicate coverage of multiple subdomains.

Understanding proper Common Name formatting helps prevent SSL Certificate implementation issues.

Subject Alternative Name (SAN) allows a single SSL Certificate to secure multiple domain names. This feature provides flexibility and cost savings compared to purchasing individual SSL Certificates for each domain.

Modern SSL Certificates commonly utilize SAN functionality to protect multiple related domains.

Security Protocols and Standards

Transport Layer Security (TLS) represents the current standard for encrypted communications, having evolved from the older Secure Sockets Layer (SSL Certificate) protocol.

While we still use the term SSL Certificate, modern implementations utilize TLS protocols for enhanced security and performance.

X.509 defines the standard format for SSL Certificates and other digital SSL Certificates.

This internationally recognized standard ensures compatibility across different systems and applications. All legitimate SSL Certificates conform to X.

509 specifications for structure and content.

The Online SSL Certificate Status Protocol (OCSP) enables real-time verification of SSL Certificate validity.

OCSP Stapling improves this process by allowing web servers to cache the OCSP response, reducing lookup times and enhancing performance while maintaining security.

Key Management and Storage

Hardware Security Modules (HSMs) provide secure storage for private keys and other sensitive cryptographic materials. These specialized devices offer physical and logical protection against unauthorized access or tampering.

Many Certificate Authorities utilize HSMs as part of their security infrastructure.

Key length refers to the size of the cryptographic keys used in SSL Certificates, typically measured in bits.

Longer key lengths provide stronger security but require more computational resources. Current industry standards recommend minimum key lengths of 2048 bits for RSA keys.

SSL Certificate revocation occurs when an SSL Certificate needs to be invalidated before its natural expiration date. This might happen due to private key compromise, organization changes, or other security concerns.

SSL Certificate Revocation Lists (CRLs) and OCSP provide mechanisms for checking SSL Certificate validity status.

Back to Blog

Our Atom / RSS Feed

Subscribe to the Trustico® Atom / RSS feed and every time a new story is added to our blog you'll receive a notification through your chosen RSS Feed Reader automatically.

Subscribe via Atom / RSS