Public Key Infrastructures («PKI»)

A public key infrastructure (PKI) is an effective tool for protecting systems and services on the internet. Although PKI has been in development for over 20 years, it is only in the last few years that it has become a topic of discussion among security managers. A major market driver are the new possibilities of digital signatures, which require a PKI.

Public-key cryptography is a mature technology that forms the basis for secure protocols. A standard mechanism for the distribution of public keys was not available for a long time. Today, however, progress has been made on both sides. You no longer need to be an expert in public-key cryptography to recognise its advantages. Because today, a wide variety of products are available on the market. This course will help you to choose the right ones for you from the many possibilities and to use them successfully.

Day 1: Theory day

1 Introduction

• Problem definition
• History
• Legal aspects

2 Cryptographic basics

• Symmetric and asymmetric procedures
• Digital signatures
• Key Management

3 Authentication

• Password-based
• One-time passwords
• Kerberos
• Public Key Certificates

4 PKI-based

• Certificates
• Certificate Revocation List
• Policies
• Certification paths

5 PKI components

• Certification Authority (CA)
• Registration Authority (RA)
• Repository
• Archive
• Certificate holder
• Relying Party

6 PKI architectures

• Single CA
• Hierarchical infrastructure
• Network structure
• Cross-certification
• Bridges CA

7 Verification

• Construction and verification of certification paths

8 Certificate Revocation List (CRL)

• Content
• Creation and distribution of CRLs

9 Directories

• X.500, LDAP

10 X.509 certificates

• ASN.1 types
• Basic content
• Extensions
• Use

11 Trust, procedures, policies

• Certificate Policies (CP)
• Certificate Practice Statement

12 Applications

• Web: SSL/TLS
• Email: S/MIME
• IPsec

Day 2: Practical day

Setting up a two-tier certification authority environment with a stand-alone offline root certification authority

• Setting up an underlying Enterprise (AD-based) Online Sub Certification Authority
• What is configured differently if only a single-tier CA environment (Enterprise Root CA) is used?
• Use of the CaPolicy.inf file
• Complete and correct revocation list configuration (CRL), including configuration of an online responder
• Configuration of certificate templates
• Configuration of automatic certificate request and distribution as well as renewal via GPOs
• Proper configuration and setup of SSL certificates
• Certificate revocation
• Special configurations: archiving private keys, setting up certificate agents, etc.
• Monitoring Certification Authorities
• Backup and restore Certification Authorities
• Using command line tools (e.g. certutil.exe) and PowerShell when configuring and managing Certification Authorities

This seminar is designed for two course days. On the first day, you will learn the theoretical basics of PKI. The second day is a purely practical day, where the basics learned on the first day are put into practice.

This course is aimed at developers and technical architects who want to build a PKI or produce protected applications.

Basic knowledge of encryption is an advantage.