Domain 1 · 1.4 Cryptographic Solutions

1.4.7 Certificates

CA, CRL, OCSP, CSR, wildcard.

9 min

Certificates are electronic files based on the X.509 standard that verify the identity of an entity and enable encrypted communication through Public Key Infrastructure (PKI).

Key Roles and Components - Certificate Authority (CA): the trusted entity that validates identities, issues certificates, and manages the full lifecycle, including revocation. - Registration Authority (RA): an optional helper that verifies an applicant's identity before passing the request to the CA. - Certificate Signing Request (CSR): the application sent to a CA to request a certificate; it contains the applicant's public key and identifying details. - Self-signed certificate: signed by the same entity it identifies. Fine for internal development or intranet services, but it lacks external trust and should not be used on public-facing sites.

Validation and Revocation - Certificate Revocation List (CRL): a published list of serial numbers for certificates revoked before their expiry, for example after a key compromise. - Online Certificate Status Protocol (OCSP): a real-time check of a single certificate's status; faster and lighter than downloading a full CRL. - OCSP stapling: the web server attaches a recent, CA-signed status response to the TLS handshake, so the client need not contact the CA itself. - Expiration: every certificate has a fixed lifetime; once expired, the browser shows a security warning.

Trust Models and Specialized Types - Hierarchical trust: a single Root CA at the top issues to intermediate (subordinate) CAs, which issue to end users. Trusting the Root means trusting the whole chain. - Wildcard certificate: covers a domain and all its subdomains — for example, one for *.example.com secures mail.example.com and web.example.com. - Subject Alternative Name (SAN): lets a single certificate protect several specific names, such as example.com and example.org. - File formats: common encodings include PEM (Base64/ASCII) and DER or CER (binary).

Quick recall - CSR → the application form sent to a CA, containing your public key. - OCSP vs CRL → OCSP is the modern real-time check; CRL is the legacy revoked list. - Intermediate CA → distributes workload and shields the offline Root CA. - X.509 → the standard format for digital certificates. - Certificate chain → end-entity certificate → intermediate(s) → trusted Root CA.