Meeting Notes – Certificate Authority – Experiences, Tips, and Recommendations

Lee Berdick addresses the November RISE meetingAfter a rough two-month hiatus due to weather, RISE swung back into action with a packed November meeting. Thanks to everyone in attendance and to ECPI University Roanoke for hosting the event!

Lee Berdick presented on the topic of PKI certificate authorities. Certificates and the underlying trust mechanisms are used daily in our industry whether users (and administrators) are aware of it or not. Given the continued growth of SSL/TLS (HTTPS everywhere) and use of certificate-based authentication, having even a basic understanding of the trust architecture will be beneficial, if not vital, to the infosec professional.

Lee Berdick presenting on certificate chain of trust to RISE

Lee discusses the certificate chain of trust

Following a review of some basic terminology, Lee discussed how the Root Authority forms the foundation of the trust model. Trust of the root certificate, and the cryptographic methods that associate the root to other certificates, allow a chain of trust to be built for certificate verification. He demonstrated how this trust begins with the built-in browser trusted root certificate store and how this enables browsers to trust HTTPS web sites with certificates issued by common commercial certificate authorities. Through demonstration, Lee reviewed some certificates to show pertinent properties such as common name, validity dates, Subject Alternate Name, issuer, and the link to the root certificate.

RISE attendees viewing presentation on certificate authorities

As with any other system, the PKI and systems that use it require regular care and feeding. This was evident in some “IT horror stories” Lee shared, especially when root certificates are allowed to expire with no replacement. Once the underlying trust in the system has been broken the level of effort needed to restore operation of the system can be significant. Often this is compounded by the fact that systems requiring PKI are typically critical in some regard. Lee emphasized the need to follow strict maintenance and security practices regarding refresh of certificates and safeguarding the root due to its critical role in the system.

RISE would like to thank Lee Berdick for presenting this month. We are always looking for new speaking ideas and volunteers to present at upcoming meetings. If you have a topic and would like to present at a future meeting please drop us a line at roanokeinfosec@gmail.com!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s