Master PKI with our interactive study cards designed for effective learning. These flashcards use proven spaced repetition techniques to help you memorize key concepts, definitions, and facts. Perfect for students, professionals, and lifelong learners seeking to improve knowledge retention and ace exams through active recall practice.
Click any card to reveal the answer
Public Key Infrastructure
A framework for managing digital certificates and public-private key pairs
Certificate Authority Registration Authority Certificate Repository Certificate Revocation List
A trusted entity that issues and manages digital certificates
An entity that verifies certificate requests before sending them to the CA
A directory where certificates and CRLs are stored and accessible
Encryption using two different but mathematically related keys
Public key and private key
Encryption and signature verification
Decryption and digital signing
An electronic document that binds a public key to an identity
X.509
Certificate Authorities (CAs)
Subject public key issuer validity period serial number and signature
To provide authentication integrity and non-repudiation
The signer uses their private key to create a signature
Using the signer's public key to verify the signature
The ability to prevent denial of having signed or sent a message
The process of validating a certificate through its issuing CA hierarchy
A self-signed certificate at the top of the certificate hierarchy
A certificate issued by a root CA to create subordinate CAs
The process of verifying a certificate's authenticity and validity
A list of revoked certificates published by the CA
Private key compromise certificate information changes or cessation of use
Online Certificate Status Protocol - real-time certificate validation service
Provides real-time status checking instead of periodic updates
The process of requesting and receiving a digital certificate
Simple Certificate Enrollment Protocol for automated certificate management
Managing certificates from creation through renewal to revocation
Storing copies of private keys with a trusted third party
The process of retrieving escrowed keys when needed
A tamper-resistant device for secure key generation and storage
To provide high-security key management and cryptographic operations
Associating a specific certificate with a particular service or domain
A certificate signed by its own private key rather than a CA
Testing environments or internal applications
A framework for publicly logging certificate issuance
A request sent to a CA to obtain a digital certificate
Subject name public key and optional attributes
The fully qualified domain name or entity name
Additional identities that can be secured by the same certificate
A certificate that secures a domain and all its subdomains
A certificate requiring extensive verification of the entity's identity
A certificate requiring only domain ownership verification
A certificate requiring verification of organization details
Level of validation and trust - DV basic OV moderate EV highest
Using digital certificates to verify identity instead of passwords
Both parties in a communication authenticate each other using certificates
Protocols that use PKI to secure communications over networks
Provides certificates for server authentication and optionally client authentication
Ensuring session keys remain secure even if long-term keys are compromised
Long-term storage of encryption keys for data recovery purposes
Secure deletion of cryptographic keys when no longer needed
A repository of trusted root certificates
Process allowing CAs from different PKI hierarchies to trust each other
Using a bridge CA to connect multiple PKI hierarchies
The process of verifying a certificate chain up to a trusted root
A document describing how a CA operates and issues certificates
Detailed document describing CA's practices and procedures
Policy states what CA does CPS describes how it's done
Certificate field specifying allowed uses for the public key
Digital signature key encipherment certificate signing
Extension specifying specific applications for the certificate
Limitation on how many intermediate CAs can exist in the chain
Limitation on names that can appear in subordinate certificates
Extension linking a certificate to its issuer's key
Unique identifier for the public key in the certificate
Indicates if certificate can be used for CA purposes
Extension specifying where to find the CRL for the certificate
Extension providing information about the issuer and validation services
Incremental CRL containing only changes since the last full CRL
Temporarily disabling a certificate without permanent revocation
Online CA connects to networks offline CA is isolated for security
A CA whose certificate is issued by another CA (not self-signed)
Obtaining a new certificate before the current one expires
Obtaining a new certificate with different information
Process of replacing cryptographic keys while maintaining service continuity
Ability to change cryptographic algorithms without major infrastructure changes
Cryptographic algorithms resistant to quantum computer attacks
Current PKI algorithms may be vulnerable to quantum computers
Standardized way to manage certificate lifecycle operations
Standard format for Certificate Signing Requests
Standard format for storing private keys and certificates together
Standard format for cryptographic message syntax including certificates
Secure method for requesting and receiving certificates
Systems that handle certificate lifecycle without manual intervention
Virtual private network using certificates for authentication
Using certificates to digitally sign software and verify its integrity
Using certificates to digitally sign documents for authenticity
Using certificates to digitally sign email messages (S/MIME)
Adding trusted time information to digital signatures
Trusted entity that provides digital timestamps
Using certificates to control access to resources
Using certificates stored on smart cards for authentication
Managing certificates on smartphones and tablets
Public append-only logs of all issued certificates
DNS record specifying which CAs can issue certificates for a domain
Web security mechanism to prevent man-in-the-middle attacks using certificates
Using certificates to authenticate devices connecting to networks
Providing device identity and secure communication for Internet of Things
Using temporary keys for each session while using certificates for authentication
Automatically managing certificate enrollment renewal and revocation
Ability of different PKI systems to work together
Converting certificates between different formats (PEM DER P12)
Ability to handle increasing numbers of certificates and users
Complexity cost key management and user training
Policies and procedures for managing PKI infrastructure and operations
Tracking and managing all certificates in an organization
Plans and procedures for recovering PKI services after failures
Securely backing up and restoring certificates and private keysWhat is Post-Quantum Cryptography?
Current PKI algorithms (RSA ECDSA) will be vulnerable to quantum computers running Shor's algorithm
Quantum algorithm that can efficiently factor large integers and solve discrete logarithm problems
RSA ECDSA and traditional Diffie-Hellman key exchange
Lattice-based Hash-based Code-based Multivariate and Isogeny-based cryptography
CRYSTALS-Kyber for key encapsulation and CRYSTALS-Dilithium FALCON SPHINCS+ for digital signatures
Key encapsulation mechanism (KEM) for establishing shared keys
Digital signature algorithms for authentication and non-repudiation
Proven security based on well-understood hash function properties
Larger key sizes certificate sizes increased computational requirements and performance impacts
Significantly larger - CRYSTALS-Dilithium public keys are ~1300 bytes vs 256 bytes for ECDSA
Using both classical and post-quantum algorithms in the same certificate during transition
Ability to quickly switch between cryptographic algorithms without major infrastructure changes
Begin planning now with full migration expected by 2030-2035
Cataloging all cryptographic implementations to understand migration scope
Signatures that combine classical and post-quantum algorithms for dual security
Increased certificate sizes may require protocol and infrastructure updates
Longer processing times due to larger signatures and more complex algorithms
Point where quantum computers can solve problems classical computers cannot affecting cryptographic security
Conduct cryptographic inventory assess risks develop migration plans and test hybrid approaches
Recommendation for Key Management providing comprehensive guidance on cryptographic key management
Part 1 General Part 2 Best Practices Part 3 Application-Specific Key Management
Federal Information Processing Standard for Security Requirements for Cryptographic Modules
Level 1 Basic Level 2 Software Level 3 Hardware Level 4 Highest Security
Minimum 2048 bits with 3072 bits recommended for new systems
Minimum 224 bits with 256 bits (P-256) commonly recommended
Cryptographic Algorithms and Key Sizes for Personal Identity Verification (PIV)
SHA-2 family (SHA-224 SHA-256 SHA-384 SHA-512) and SHA-3
SHA-1 and MD5 are deprecated for digital signatures
Deprecated for digital signatures after 2013
AES (128 192 256 bit keys) and approved modes of operation
CBC CTR GCM CCM CFB and OFB modes
Digital Identity Guidelines covering authentication and lifecycle management
SP 800-63A Enrollment SP 800-63B Authentication SP 800-63C Federation
Identity Assurance Level 1 through 4 (IAL1-IAL4)
Authenticator Assurance Level 1 through 3 (AAL1-AAL3)
Federation Assurance Level 1 through 3 (FAL1-FAL3)
Digital Signature Standard specifying algorithms for digital signatures
DSA RSA and ECDSA
Recommendation for Obtaining Assurances for Digital Signature Applications
Diffie-Hellman key agreement and RSA key transport methods
Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography
Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography
SP 800-90A Recommendation for Random Number Generation Using Deterministic Random Bit Generators
Minimum entropy equal to the security strength of the cryptographic algorithm
SP 800-108 Recommendation for Key Derivation Using Pseudorandom Functions
RFC 5280 compliant path validation with revocation checking
Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP)
Build and validate certificate chains up to trusted root certificates
Keys used for encryption should be archived securely for data recovery
Secure deletion of cryptographic keys when no longer needed
Use FIPS 140-2 validated modules appropriate for the security requirements
RFC 5280 Internet X.509 Public Key Infrastructure Certificate and CRL Profile
Key Usage Extended Key Usage and Certificate Policies extensions as appropriate
Evaluation criteria for security properties of PKI components and systems
Roadmap for transitioning to quantum-resistant cryptographic algorithms
Standardization process for quantum-resistant public key algorithms
Using both classical and post-quantum algorithms during transition period
Larger key sizes to maintain security during algorithm transitions
Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
Acceptable use Legacy use and Disallowed use periods
Federal Public Key Infrastructure Policy Authority requirements and guidelines
Root CA for the Federal PKI infrastructure as specified by NIST guidelines
Requirements for interoperating with the Federal PKI infrastructure
Requirements for Personal Identity Verification cards and certificates
FIPS 201 Personal Identity Verification for Federal Employees and Contractors
Technical requirements for PIV card authentication certificates
Security considerations for certificates on mobile platforms
Security recommendations for PKI in cloud computing environments
Recommendations for implementing certificate transparency in federal systems
Guidelines for responding to PKI security incidents and compromises
answer
Amazon Web Services Key Management Service - a managed service for creating and controlling encryption keys
AWS managed keys and customer managed keys
The primary resource in AWS KMS used to encrypt and decrypt data (now called KMS keys)
4 KB of data per API call
Many AWS services use KMS automatically for encryption including S3 EBS RDS and Lambda
Technique where KMS encrypts a data encryption key (DEK) which is then used to encrypt large amounts of data
JSON-based policies that control access to KMS keys and define who can use and manage them
Feature that automatically rotates customer managed keys annually while keeping old key versions for decryption
FIPS 140-2 Level 2 Common Criteria and various industry standards like PCI DSS and HIPAA
Dedicated hardware security module service providing FIPS 140-2 Level 3 compliance vs KMS's Level 2
Assurance framework for evaluating and reporting on Certificate Authority controls and practices
American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA)
Audit standard specifically designed for evaluating Certificate Authority operations
Security Availability Processing Integrity Confidentiality and Privacy
System is protected against unauthorized access both physical and logical
System is available for operation and use as committed or agreed
System processing is complete accurate timely and authorized
Information designated as confidential is protected as committed or agreed
Personal information is collected used retained disclosed and destroyed in conformity with commitments
Visual indicator that an organization has successfully completed a WebTrust examination
One year from the audit report date
Reasonable assurance on the effectiveness of controls
Examination that tests the operating effectiveness of controls over a period of time
Minimum of 3 months up to 12 months
Licensed CPAs or chartered accountants trained in WebTrust methodology
Audit standard for CAs issuing SSL certificates following Baseline Requirements
Audit standard for CAs issuing Extended Validation SSL certificates
Audit standard for CAs issuing code signing certificates
Physical and logical security controls protecting CA systems and operations
Certificate lifecycle management subscriber authentication and key management practices
Certification Practice Statement (CPS) and Certificate Policy (CP)
Documented key ceremony procedures with proper controls and witness requirements
Access controls environmental protections and monitoring systems
User authentication authorization and privileged access management
Firewalls intrusion detection systems and network segmentation
Regular vulnerability assessments patch management and remediation procedures
Comprehensive audit logging security monitoring and incident response capabilities
Data backup procedures business continuity planning and disaster recovery testing
Background checks training programs and separation of duties
Documented change control processes for systems configurations and procedures
Validation procedures accuracy of certificate content and proper authorization
Timely revocation processing CRL and OCSP response generation and distribution
Identity verification procedures domain validation methods and documentation requirements
Key generation storage protection usage and destruction procedures
Certificate request processing validation issuance renewal and revocation procedures
Annual examination reports interim communications and management letters
Management's written statement about the effectiveness of their controls
Inquiry observation inspection and reperformance of key controls
Statistical and judgmental sampling based on risk assessment and control frequency
Policies procedures system configurations logs and operational records
Formal report expressing the auditor's opinion on control effectiveness
Situations where controls are not properly designed or not operating effectively
Control deficiency that adversely affects the entity's ability to meet objectives
Significant deficiency that creates reasonable possibility of material misstatement
Documented as findings with impact assessment and required management responses
Timely correction of deficiencies and implementation of compensating controls
Ongoing assessment of control effectiveness throughout the examination period
Independent verification of service organization controls affecting the CA
WebTrust provides framework while SOC reports detail specific control testing
Major browsers require annual WebTrust audits for inclusion in trust stores
Group responsible for developing and maintaining WebTrust standards for CAs
Updated periodically to reflect industry changes and emerging threats
Accepted globally as equivalent to ETSI standards for CA auditing
Industry consortium that develops standards for Certificate Authorities and browsers
Standards defining minimum requirements for publicly trusted SSL certificates
Version 2.0 (as of recent updates)
Domain Validated (DV) and Organization Validated (OV) certificates
Extended Validation Guidelines for high-assurance certificates
398 days (13 months)
398 days (13 months)
39 months then 27 months then 825 days
September 1 2020
Process to verify that the certificate applicant controls the domain
10 approved methods
Sending validation email to specific addresses like admin@domain
admin administrator postmaster hostmaster webmaster
Placing a specific TXT record in the domain's DNS
Placing a validation file at a specific URL on the domain
Automated domain validation using HTTP file placement
Automated domain validation using DNS TXT records
Domain validation using TLS Application-Layer Protocol Negotiation
398 days from the date of validation
Organization name address phone number and domain control
Extensive business verification including legal existence and operational existence
2.23.140.1.1 for EV SSL certificates
OID identifying the certificate policy under which the certificate was issued
OCSP responder location and CA issuer certificate location
Minimum 2048 bits for subscriber certificates
Minimum 256 bits (P-256 curve)
2048 bits for RSA 256 bits for ECDSA
MD5 and SHA-1
SHA-2 family (SHA-256 or higher)
All certificates must be logged in CT logs
At least 2 CT logs from different operators
20 octets (160 bits)
Yes unique within each CA
Must be marked critical and specify appropriate key usage
Digital Signature and Key Encipherment (or Key Agreement for ECDH)
Server Authentication (1.3.6.1.5.5.7.3.1)
Must include at least one policy OID
Must include all domain names secured by the certificate
Yes wildcard certificates should include both *.example.com and example.com
Certificates cannot be issued for internal names after November 1 2015
Certificates cannot contain private or reserved IP addresses
Must validate control over the IP address through approved methods
Minimum 5.5 years after certificate expiration
WebTrust for CAs or ETSI EN 319 411
Annually
Documented secure process for root key generation with witness requirements
CAs must have agreements with certificate subscribers
CAs must revoke certificates within 24 hours of becoming aware of key compromise
Must provide OCSP responses within 10 seconds 24/7
Maximum 7 days for valid responses
CAs must report incidents to browsers and maintain incident logs
CAs must check for weak keys and refuse to issue certificates for them
Must use cryptographically secure random number generators meeting FIPS 140-2 Level 3
Air-gapped or logically isolated certificate generation systems
Remember: Use all available resources to study. Flearn alone cannot guarantee success in any exams—make sure to supplement your learning!