Reference LibraryPublic Key Infrastructure
CryptographyDomain 3: Security Architecture & Engineering

Public Key Infrastructure

Exam Relevance:

PKI is the trust framework that binds public keys to identities using digital certificates and Certificate Authorities. It enables HTTPS, S/MIME, code signing, and secure VPNs.

Why It Matters for CISSP

PKI underpins virtually every CISSP cryptography question. Certificate lifecycle, CRL vs OCSP, cross-certification, and the chain of trust are all heavily tested.

Key Components

Certificate Authority (CA): The trusted third party that issues and signs digital certificates.

Registration Authority (RA): Handles identity verification on behalf of a CA. The RA validates requests but does not sign certificates.

Digital Certificate (X.509): Contains subject identity, public key, validity dates, CA signature, and certificate policies.

Certificate Repository: Where certificates are published for retrieval.

Certificate Lifecycle

1. Key Generation: Subscriber generates a public/private key pair. 2. Enrollment/CSR: Certificate Signing Request sent to RA/CA. 3. Validation: RA verifies identity (DV, OV, or EV level). 4. Issuance: CA signs the certificate with its private key. 5. Distribution: Certificate published to repository. 6. Revocation: Certificate invalidated via CRL or OCSP if compromised. 7. Expiry: Certificate reaches end of validity period.

CRL vs. OCSP

Certificate Revocation List (CRL): A periodic list of revoked certificate serial numbers. Can be large and stale.

OCSP (Online Certificate Status Protocol): Real-time per-certificate status check.

OCSP Stapling: Server pre-fetches a signed OCSP response and staples it to the TLS handshake.

Chain of Trust

Root CA: Self-signed, offline, maximum protection. Pre-installed in OS/browsers as a trust anchor.

Intermediate CA: Signed by Root CA. Issues end-entity certificates.

End-Entity Certificate: Your website's cert, signed by an Intermediate CA.

PKI components at a glance

ComponentRoleKey Fact
Root CATrust anchorSelf-signed; kept offline; pre-installed in OS/browsers
Intermediate CAOperational issuerSigned by Root; limits blast radius if compromised
RAIdentity verifierValidates requests but does NOT sign certificates
CRLRevocation listPeriodic batch list; can be stale
OCSPRevocation checkerReal-time; OCSP Stapling eliminates privacy leak

Related Concepts

Tls HandshakeOsi ModelZero Trust