PKI is the trust framework that binds public keys to identities using digital certificates and Certificate Authorities. It enables HTTPS, S/MIME, code signing, and secure VPNs.
PKI underpins virtually every CISSP cryptography question. Certificate lifecycle, CRL vs OCSP, cross-certification, and the chain of trust are all heavily tested.
Certificate Authority (CA): The trusted third party that issues and signs digital certificates.
Registration Authority (RA): Handles identity verification on behalf of a CA. The RA validates requests but does not sign certificates.
Digital Certificate (X.509): Contains subject identity, public key, validity dates, CA signature, and certificate policies.
Certificate Repository: Where certificates are published for retrieval.
1. Key Generation: Subscriber generates a public/private key pair. 2. Enrollment/CSR: Certificate Signing Request sent to RA/CA. 3. Validation: RA verifies identity (DV, OV, or EV level). 4. Issuance: CA signs the certificate with its private key. 5. Distribution: Certificate published to repository. 6. Revocation: Certificate invalidated via CRL or OCSP if compromised. 7. Expiry: Certificate reaches end of validity period.
Certificate Revocation List (CRL): A periodic list of revoked certificate serial numbers. Can be large and stale.
OCSP (Online Certificate Status Protocol): Real-time per-certificate status check.
OCSP Stapling: Server pre-fetches a signed OCSP response and staples it to the TLS handshake.
Root CA: Self-signed, offline, maximum protection. Pre-installed in OS/browsers as a trust anchor.
Intermediate CA: Signed by Root CA. Issues end-entity certificates.
End-Entity Certificate: Your website's cert, signed by an Intermediate CA.
PKI components at a glance
| Component | Role | Key Fact |
|---|---|---|
| Root CA | Trust anchor | Self-signed; kept offline; pre-installed in OS/browsers |
| Intermediate CA | Operational issuer | Signed by Root; limits blast radius if compromised |
| RA | Identity verifier | Validates requests but does NOT sign certificates |
| CRL | Revocation list | Periodic batch list; can be stale |
| OCSP | Revocation checker | Real-time; OCSP Stapling eliminates privacy leak |