1.
Introduction to
public key
infrastructure II.

2.
Page 2
Instructor, PACE-IT Program – Edmonds Community College
Areas of expertise Industry Certifications
 PC Hardware
 Network Administration
 IT Project Management
 Network Design
 User Training
 IT Troubleshooting
Qualifications Summary
Education
 M.B.A., IT Management, Western Governor’s University
 B.S., IT Security, Western Governor’s University
Entrepreneur, executive leader, and proven manger
with 10+ years of experience turning complex issues
into efficient and effective solutions.
Strengths include developing and mentoring diverse
workforces, improving processes, analyzing
business needs and creating the solutions
required— with a focus on technology.

3.
Page 3
PACE-IT.
– Certificate authority responsibilities.
– Additional public key infrastructure
concepts.

4.
Page 4
Introduction to public key infrastructure II.

5.
Page 5
Introduction to public key infrastructure II.
– Main responsibilities of a certificate
authority (CA).
» Issue the digital certificates that are used when implementing a
public key infrastructure (PKI) solution.
• Requires that the CA review information supplied by the client
making the request.
• The requester begins that process by providing the CA with a
certificate signing request (CSR).
» Revoke digital certificates that the CA has issued in the case of
fraud (on the requester’s part) or when a security breach that
involves the digital certificate has occurred.
» Create, maintain, and publish a list of revoked digital
certificates to help ensure that the PKI process remains trusted.
• One method of achieving this is through a certificate
revocation list (CRL), which is periodically published to the
CA’s website.
• Another method of achieving this is through the use of Online
Certificate Status Protocol (OCSP). OCSP is a protocol that
uses HTTP to verify the status of a certificate directly with the
CA that issued that certificate.

6.
Page 6
Introduction to public key infrastructure II.

7.
Page 7
Introduction to public key infrastructure II.
– Recovery agent.
» A recovery agent is an individual with authorized access
to the private key archive.
» Recovery agents are used within PKI to protect against
loss of a private key due to the key holder’s absence.
• Private keys should be securely archived, with access
to the archive strictly limited.
• Due to the sensitivity of private keys, in most cases, the
recovery process requires more than a single recovery
agent.
– Registration.
» A process that is typically used within an organization
that has implemented PKI.
• The process is used to issue PKI certificates to
employees or devices within the organization.
• The registration authority (RA) has the responsibility for
verifying an individual’s or a device’s need for a digital
certificate—passing the request on to the CA if
required.

8.
Page 8
Trust models are used in PKI
in order to build PKI
relationships (trust) between
different organizations.
With PKI, trust can be created between two different CAs, so that
each CA will implicitly trust the certificates issued by the other.
This allows the organizations to quickly validate digital certificates
that each receives from the other entity.
Trust models (also known as trust paths) are used to reduce the
workload on PKI. Without the trust models, each implementation
of PKI in the relationship would be required to issue digital
certificates for the opposite party. Trust paths are also used to
validate digital certificates issued by a subordinate CA back to the
root CA.
Introduction to public key infrastructure II.

9.
Page 9
Introduction to public key infrastructure II.
The CA is responsible for issuing digital certificates that are used in
implementing PKI. The process begins when the requester submits a CSR.
The CA is also responsible for revoking digital certificates in the case of
fraud or a security breach. The CA periodically publishes a CRL, which can
be checked to see if a certificate has been revoked. Alternatively, OCSP
can be used to check with the CA directly.
Topic
Certificate authority
responsibilities.
Summary
Recovery agents are used in the private key recovery process. Due to the
sensitive nature of the private key, in most cases, recovery requires action
on the part of more than a single recovery agent. Trust models are used to
build PKI trust relationships between different organizations. This eases the
PKI workload on the individual entities. Trust paths are also used between a
subordinate CA and the root CA.
Additional public key
infrastructure concepts.

10.
Page 10
THANK YOU!

11.
This workforce solution was 100 percent funded by a $3 million grant awarded by the
U.S. Department of Labor's Employment and Training Administration. The solution was
created by the grantee and does not necessarily reflect the official position of the U.S.
Department of Labor. The Department of Labor makes no guarantees, warranties, or
assurances of any kind, express or implied, with respect to such information, including
any information on linked sites and including, but not limited to, accuracy of the
information or its completeness, timeliness, usefulness, adequacy, continued availability
or ownership. Funded by the Department of Labor, Employment and Training
Administration, Grant #TC-23745-12-60-A-53.
PACE-IT is an equal opportunity employer/program and auxiliary aids and services are
available upon request to individuals with disabilities. For those that are hearing
impaired, a video phone is available at the Services for Students with Disabilities (SSD)
office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call
425.354.3113 on a video phone for more information about the PACE-IT program. For
any additional special accommodations needed, call the SSD office at 425.640.1814.
Edmonds Community College does not discriminate on the basis of race; color; religion;
national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran
status; or genetic information in its programs and activities.