Certificate Authorities (CAs) and Digital Certificate Management
Certificate authorities were briefly discussed earlier in the chapter. This section provides more details about CAs and helps you decide whether to manage certificates in-house or outsource the task to a third party.
Every digital certification implementation is done through a root CA. Each root CA has a digital certificate that is issued by a root CA and to a root CA. A root CA becomes both an issuer and a receiver. This process is called a self-signed digital certificate, which is the root certificate to all certificate implementations. The certificate PKI software or hardware looks for the self-signed certificate and extracts the public key. It is assumed that the certificate and the public key can be trusted. A root CA distributes its public key in a self-signed certificate to Internet browsers or public Internet sites. In theory, all Internet browsers are shipped with a self-signed certificate. A self-signed certificate provides data integrity.
A root CA signs every certificate. In the case of Alice and Bob, Alice can verify Bob’s certificate only with the root CA’s public key. Once Alice has verified Bob’s certificate, she can trust it. Public keys can be trusted only if they were obtained from a certificate that was granted and issued by a trusted root CA.
Subordinate CAs can be established for more specific needs. For example, a subordinate CA may be implemented specifically for visitors, which would require a separate authentication and registration process. Using this process builds a trusted CA network. If a root CA’s private key was compromised, all certificates issued by the root CA and subsequent CAs would need to be revoked and reissued.
A CA in a PKI system has many functions. These individual functions are:
- Policy authority—Responsible for establishing, distributing, maintaining, promoting, and enforcing all of the policies of the individual functions. The policy authority is responsible for the policies associated with the content and usage of the certificates, the registration process for certificates, certification revocation, and managing the root and subsequent CAs.
- Certificate manufacturer—Generates and manages the digital certificate asymmetric key pairs. The certificate manufacturer may distribute the root public key and sign the certificates. Notification of certificate generation is provided by the certificate manufacturer.
- Certificate issuer—Distributes the certificates that are generated by the certificate manufacturer. The certificate issuer provides a way for subscribers to grant and revoke certificates and manage the certificate revocation list.
- Revocation manufacturer—Generates and maintains the revocation of the asymmetric key pairs. Notification of the certificate revocation is provided by the revocation manufacturer.
- Registration authority—Provides a mechanism for requesting a digital certificate.
- Authentication service—Validates the subscriber’s credentials for the registration authority prior to the request for the digital certificate.
- Repository—Stores and distributes all public key certificates.
All of these functions work as individual and necessary components of a PKI system.
Why Outsourcing a CA May Be Advantageous
Outsourcing a CA may be advantageous to an organization for various reasons. The organization might choose a provider that creates a dedicated CA for the organization’s use or might choose to use a shared service from a major CA. Some considerations include:
- Communication with suppliers, customers, and business partners should be seamless. Companies may not want to worry about the security implications of having multiple entities accessing the CA. Which controls are needed, which configurations need to occur, and how do the systems stay updated without affecting the suppliers, customers, business partners, and their own internal users?
- Organizations may be geographically dispersed, and it would be more advantageous to have multiple CAs available at these various locations. Organizations may not have the capabilities or resources to staff at the various sites and; therefore, outsourcing this capability would be highly advantageous.
- Organizations do not want to take on the costs associated with managing a CA on-site. This includes the personnel needed to manage the infrastructure as well as the hardware, software, and data center costs.
Risks and Issues with Outsourcing a CA
Much like the risks associated with outsourcing key management, outsourcing a certificate authority is something that should be carefully considered. There are many concerns associated with implementing a security element at a site that you do not own and having it managed by people that do not report to you.
Risks associated with outsourcing CA capabilities are:
- The security placed around individual CAs. Is access granted to any employee or are there strict constraints around it? How does an organization know that it can trust a person it does not employ? Are appropriate controls in place at the provider’s site, and how does an organization ensure the provider always complies with these controls?
- An organization may want to control its own CA because of the higher security requirements. This is not possible when outsourcing a CA. Many organizations with high security requirements are more apt to manage the CA locally where they have more control versus risking a security breach if the CA is managed through a vendor off-site. An organization may need specific certificates with unique fields; therefore, keeping the CA in-house may be more beneficial. Allowing another company to manage these highly specific certificates may not be advantageous.
There are multiple risks and issues associated with outsourcing a CA for a PKI system, and all aspects should be considered to ensure an organization is making the right decisions around this infrastructure.