Common Certificate Implementation Issues

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 20 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Common certificate implementation issues.
00:00
The learning objective for this lesson
00:00
is to differentiate
00:00
the most common certificate implementation issues.
00:00
Let's get started.
00:00
When you're ready to implement
00:00
certificates in your own organization,
00:00
because there are so many variables to it,
00:00
oftentimes we have errors.
00:00
This lesson and is a short
00:00
lesson but we're going to go over
00:00
the most common areas where you might have problems
00:00
when you're implementing certificates
00:00
in your own organization.
00:00
The first is the validity date.
00:00
Every certificate is issued to be
00:00
valid until a certain time.
00:00
If you don't renew that certificate until that time,
00:00
then it will be an invalid certificate.
00:00
You might have seen this when you were
00:00
serving to websites,
00:00
and then the site did not renew their certificate,
00:00
and your browser will let you know that
00:00
this certificate has now expired.
00:00
Wrong certificate type.
00:00
We can generate certificates for specific purposes,
00:00
and when we generate it for one purpose
00:00
but we use that certificate for something else,
00:00
it's going to give us problems.
00:00
Revoked certificates.
00:00
If your certificate appears on
00:00
a certificate revocation list it's not going to work.
00:00
Now, it doesn't
00:00
always mean that something bad happened,
00:00
it could have been that certificate
00:00
was revoked by accident.
00:00
Someone was cleaning house and revoke
00:00
the wrong certificate, this does happen.
00:00
If you're having problems with yours and you're getting
00:00
errors that indicate a revoked certificate,
00:00
check your CRL to find out and then take it from there.
00:00
We could also use incorrect names.
00:00
If we were to purchase a certificate
00:00
for a website, for example,
00:00
and we choose it for abc.com,
00:00
but we're actually using
00:00
abcc.com, it's not going to work.
00:00
Another example of this would be if
00:00
we didn't purchase a wildcard certificate,
00:00
we just purchased a certificate
00:00
for specifically abc.com,
00:00
but then we try to use that certificate for
00:00
mail.abc.com it's not going to work.
00:00
We could have chain issues.
00:00
The certificate chain has to be valid all the
00:00
way through from the root to the subordinate,
00:00
and then the leaf certificates.
00:00
If any part of that chain is not valid,
00:00
then the certificate is not going to work.
00:00
You could also have issues
00:00
with a self-signed certificate.
00:00
This is where it is not created
00:00
and endorsed by a trusted third party,
00:00
it is something you created and signed yourself.
00:00
The study guide will tell you this is
00:00
similar to a fake ID.
00:00
For most purposes I don't
00:00
agree with this because there are
00:00
many legitimate reasons we would
00:00
want to use self-signed certificates,
00:00
but for the purposes of
00:00
authenticating yourself to another party,
00:00
then yes, this would be similar to a fake ID.
00:00
Weak signing certificates.
00:00
These are weak or deprecated
00:00
hashing algorithms that were
00:00
used in the creation of the certificate.
00:00
Similarly we can also have
00:00
weak cipher suites where we're using
00:00
week or deprecated cipher suites
00:00
that have been used when that certificate was created.
00:00
We also have incorrect permissions.
00:00
If we put the files that are necessary for
00:00
the certificate on a web server, for example,
00:00
and then we don't place the proper permissions
00:00
on the files and
00:00
the web server is not able to
00:00
access those files, we're going to have errors.
00:00
Mismatch keys is when we use
00:00
the wrong key pair to decrypt data.
00:00
One key pair was used to encrypt it
00:00
but we're trying to use another to decrypt it.
00:00
Improper key handling is when we're not
00:00
securing the private or our symmetric keys.
00:00
This can lead to a breach or it could
00:00
be that just calling into question of
00:00
whether or not our data is now secure because we don't
00:00
know if those keys were handled
00:00
improperly outside of our control.
00:00
If we didn't secure them,
00:00
then we can't be sure that they haven't been used.
00:00
Embedded keys are those that are etched into
00:00
a specialized crypto storage chips
00:00
and these are read-only.
00:00
If you're using something that
00:00
needs access that's more than read only,
00:00
you need to keep this in mind.
00:00
Rekeying, the session keys are
00:00
renegotiated during a communication session.
00:00
This is done often so that we can make sure that
00:00
one key is not used to encrypt
00:00
all the data that's going through.
00:00
Now, often this is triggered
00:00
because the data volume reaches
00:00
a certain threshold rather
00:00
than an amount of time has passed.
00:00
Crypto shredding, this is when we
00:00
destroy the key that was used to encrypt data.
00:00
This will destroy access to the data
00:00
because if we don't have a key to decrypt it any longer,
00:00
then that data is destroyed,
00:00
no one can get to it.
00:00
But it's very important we make
00:00
sure that when we're destroying these keys,
00:00
that those keys themselves cannot be recovered,
00:00
and this is especially important
00:00
for cloud implementations.
00:00
Cryptographic obfuscation, this is when we
00:00
transform protected data into an unreadable form,
00:00
and this is usually used for storage.
00:00
A good example of this is the Linux ETC shadow file.
00:00
Key rotation is when we
00:00
revoke a key and issue a new one,
00:00
and we do this through a periodic basis.
00:00
We do that because we're trying to
00:00
prevent brute force attacks on the keys.
00:00
If the key is changing,
00:00
it makes it harder for that key to be attacked.
00:00
Compromise keys, this is when we had
00:00
unauthorized access to our symmetric key
00:00
or our private keys.
00:00
Because of this, you consider you've
00:00
been breached and it's time to revoke
00:00
and reissue keys. Let's summarize.
00:00
We discuss common digital certificate issues
00:00
along with common cryptographic key issues,
00:00
so let's do some example questions. True or false.
00:00
Crypto shredding turns protected data
00:00
into an unreadable format for storage.
00:00
False, cryptographic obfuscation does this.
00:00
Crypto shredding is the destruction of
00:00
the decryption key that was used to encrypt the data,
00:00
and by doing that we've made the data unusable.
00:00
Question 2, blank is purposely
00:00
changing keys to protect against brute force attacks.
00:00
Key rotation. Question 3.
00:00
This type of issue occurs
00:00
because an expired certificate has
00:00
been used. Validity dates.
00:00
Finally Question 4,
00:00
these keys are etched into
00:00
specialized cryptographic devices that are only
00:00
available as read-only. Embedded keys.
00:00
Hope this lesson gave you
00:00
some ideas on some areas you could look for if
00:00
you're having problems with
00:00
certificates in your organization,
00:00
and keep these in mind for the test
00:00
because they're generally going to ask you just
00:00
those little these types
00:00
of questions where just to make sure
00:00
you understand how you would go about troubleshooting
00:00
these problems. I'll see you in the next lesson.
Up Next