Introduction to PKI

This document is designed to give you a brief introduction into how a PKI, or Public Key Infrastructure, works.

Terminology Used

To avoid confusion, the following terms will be used throughout the Easy-RSA documentation. Short forms may be substituted for longer forms as convenient.

  • PKI: Public Key Infrastructure. This describes the collection of files and associations between the CA, keypairs, requests, and certificates.
  • CA: Certificate Authority. This is the "master cert" at the root of a PKI.
  • cert: Certificate. A certificate is a request that has been signed by a CA. The certificate contains the public key, some details describing the cert itself, and a digital signature from the CA.
  • request: Certificate Request (optionally 'req'.) This is a request for a certificate that is then send to a CA for signing. A request contains the desired cert information along with a digital signature from the private key.
  • keypair: A keypair is an asymmetric cryptographic pair of keys. These keys are split into two parts: the public and private keys. The public key is included in a request and certificate.

The CA

The heart of a PKI is the CA, or Certificate Authority, and this is also the most security-sensitive. The CA private key is used to sign all issued certificates, so its security is critical in keeping the entire PKI safe. For this reason, it is highly recommended that the CA PKI structure be kept on a system dedicated for such secure usage; it is not a great idea to keep the CA PKI mixed in with one used to generate end-entity certificates, such as clients or servers (VPN or web servers.)

To start a new PKI, the CA is first created on the secure environment. Depending on security needs, this could be managed under a locked down account, dedicated system, or even a completely offline system or using removable media to improve security (after all, you can't suffer an online break-in if your system or PKI is not online.) The exact steps to create a CA are described in a separate section. When creating a new CA, the CA keypair (private and public keys) are created, as well as the file structure necessary to support signing issued certificates.

Once a CA has been created, it can receive certificate requests from end-entities. These entity certificates are issued to consumers of X509 certificates, such as a client or server of a VPN, web, or email system. The certificate requests and certificates are not security-sensitive, and can be transferred in whatever means convenient, such as email, flash drive, etc. For better security, it is a good idea to verify the received request matches the sender's copy, such as by verifying the expected checksum against the sender's original.

Keypairs and requests

Individual end-entities do not need a full CA set up and will only need to create a keypair and associated certificate request. The private key is not used anywhere except on this entity, and should never leave that system. It is wise to secure this private key with a strong passphrase, because if lost or stolen the holder of the private key can make connections appearing as the certificate holder.

Once a keypair is generated, the certificate request is created and digitally signed using the private key. This request will be sent to a CA for signing, and a signed certificate will be returned.

How requests become certificates

After a CA signs the certificate request, a signed certificate is produced. In this step, the CA's private key is used to digitally sign the entity's public key so that any system trusting the CA certificate can implicitly trust the newly issued certificate. This signed certificate is then sent back to the requesting entity. The issued certificate is not security-sensitive and can be sent over plaintext transmission methods.

Verifying an issued certificate

After 2 entities have created keypairs, sent their requests to the CA, and received a copy of their signed certificates and the CA's own certificate, they can mutually authenticate with one-another. This process does not require the 2 entities to have previously exchanged any kind of security information directly.

During a TLS handshake each side of the connection presents their own cert chain to the remote end. Each side checks the validity of the cert received against their own copy of the CA cert. By trusting the CA root cert, the peer they are talking to can be authenticated.

The remote end proves it "really is" the entity identified by the cert by signing a bit of data using its own private key. Only the holder of the private key is able to do this, allowing the remote end to verify the authenticity of the system being connected to.