Over the course of Public Key Infrastructure (PKI) design, implementation, and management, you will
encounter many terms and acronyms that are defined in this document.
The biggest part of the PKI implementation process is meeting with the stakeholders to ask and answer
questions about where things are, how they work, what they struggle with today, and how they see a
new PKI accomplishing business goals and requirements. It’s in these meetings, like most IT discussions,
where terminology can be thrown about pretty freely with the assumption that everyone knows what the
terms and acronyms mean.
Providing a glossary of PKI terminology will help to keep the vagueness and misunderstandings from getting in the way of good discovery and planning.
These terms are be covered in depth in all of the the PKI Solutions training courses. PKI Solutions will soon be offering its in-demand PKI training courses online. These self-paced courses are a deep dive into PKI. The online courses will cover all of the same topics and lessons as the highly popular, in-person courses that the company has provided for many years. The course will feature video, audio, and slide-based content, taught by Mark B. Cooper, president and founder of PKI Solutions and known as The PKI Guy. He has been working with PKIs for two decades and has led hundreds of PKI trainings around the world. For more information and to sign up now for online courses, please visit https://pkisolutions.com/online-courses/.
Here are the top 10 PKI terms defined. Click here to download the complete PKI Glossary of Terms.
PKI – Public Key Infrastructure
PKI is a set of roles, policies, people, software, hardware, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. A PKI establishes a trust hierarchy in the provisioning of digital certificates throughout an organization providing secure authentication and encryption. A PKI consists of Certification Authorities that ensure that entities are who they say they are, use encryption algorithms for the security of data transmissions, and provide nonrepudiation to resolve by digital signature any question of who did what and when.
Root Certification Authority
The Root CA is the topmost CA in a PKI hierarchy and acts as the trust point for certificates issued by CAs in the environment. In a two or three-tier environment, the Root CA only issues certificates to subordinate CAs, such Policy CAs and Issuing CAs. The Root CA should be built, maintained and serviced offline, never connecting to a network. HSMs are often used within a private network to provide hardware-based key storage for the best protection of the Root CA’s private keys.
CRL – Certificate Revocation List
A CRL is a signed, time-stamped list of certificate serial numbers and reason codes of revoked certificates by the Certification Authority. CRLs are normally published to a publicly-available website for revocation checking. Once revoked a certificate is invalid prior to its expiration.
Public Key Encryption
Public-key encryption uses two separate keys that are mathematically related to encrypt and decrypt content. The public key can be distributed widely while the private key remains with the user or device that created the key pair.
A digital Certificate represents the identity of a user, computer or program. It contains information about the issuer and the subject and also certificate-specific data such as the CA signature and its validity period. It is signed by a certification authority (CA) which vouches for the identity of the user, computer, or program based on the information in the certificate. A minimum of verified information includes Subject Name identity, the issuing authority and validity period.
EKU-Enhanced Key Usage
Enhanced Key Usage is both a certificate extension and a certificate extended property value. After a computer’s identity, for example, is verifiable by an issued certificate an EKU specifies the uses for which a certificate is valid.
HSM – Hardware Security Modules
A hardware security module is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptographic operations processing. They are typically certified for physical security at various FIPS 140-2 security levels. HSMs are recommended in most PKI implementations since the CA private keys are not software-based and thus insecure, but instead are hardware-based and only available from within the HSM itself.
An algorithm used to produce a fixed-length hash value of some piece of data, such as a message or session key. Typical hashing algorithms include CMAC, MD2, MD4, MD5, SHA-1, and SHA-2.
In an asymmetric cryptosystem, a key pair consists of a private key and its mathematically related public key having the property that the public key can verify a digital signature that the private key creates.
Revocation of a certificate invalidates a previously signed certificate and is listed in the next published CRL by serial # and date of revocation. Revocation processing and management is key to any PKI and further secures the distribution of certificates in the environment by publishing revocation information and making it widely available.
Once again, click here to download the complete PKI Glossary of Terms from PKI Solutions.