Public-Key Infrastructure (PKI)

Let's learn about the public-key infrastructure in detail.

We'll cover the following

Certificates

X.509 certificate

Certificate issuance
Certificate chain
Rules for a certificate chain to be valid
Mechanisms to revoke certificates

When using the public-key cryptography, one common problem is that how can a client ensure the server is who they claim to be?

In theory, a malicious party could generate a second keypair and present the public key to us, which we would use to encrypt to send the data. Even though the data is encrypted, they can stil be sent to the wrong party, who would be able to then decrypt them with their private key. To ensure the client is talking to the server it expects, we can make use of certificates.

Certificates

Certificates are digital documents that bind a public key to a specific entity. They are used by clients for authentication purposes.

These certificates can have different formats, but X.509 is a common standard defining one format for protocols, such as TLS.

X.509 certificate

An X.509 certificate contains a public key, and the identity of this public key belongs to it. This identity is represented by a so-called distinguished name, which uniquely identifies the entity and consists of various attributes, such as a common name, an organization name, a locality name, etc.

Note: The values for each of these fields can differ for each use case.

When we use of TLS certificates for websites, the common name is populated with the domain name of the website, so a certificate binds a public key to a specific domain name.

Certificate issuance

Certificates are issued by specific organizations, called certificate authorities, which sign these certificates in order to attest the ownership of this public key to the associated entity.

Note: Before signing the certificates, the certificate authority first verifies the identity of the party that makes the request.

Certificate authorities can issue a web certificate by asking the party to prove that they have control over the associated domain, e.g., by uploading specific content to a website served by this domain.

Certificate chain

The certificate authorities also generate certificates for their own public keys, but these certificates are signed by their own private key and are known as self-signed certificates. As a result, they act as trusted third parties, which are trusted both by the owner and the users of the certificate. Sometimes, this can get more complicated with certificate authorities issuing certificates for the public keys of other certificate authorities that they can then use to issue other certificates. In this case, these certificates can form a certificate chain, as shown in the following illustration:

Get hands-on with 1200+ tech skills courses.

Before Getting Started

Introduction to Distributed Systems

Basic Concepts and Theorems

Distributed Transactions

Achieving Isolation

Achieving Atomicity

Concluding Distributed Transactions

Consensus

Time

Order

Networking

Security

Security Protocols

From Theory to Practice

Case Study 1: Distributed File Systems

Case Study 2: Distributed Coordination Service

Case Study 3: Distributed Data Stores

Case Study 4: Distributed Messaging System

Case Study 5: Distributed Cluster Management

Case Study 6: Distributed Ledger

Case Study 7: Distributed Data Processing Systems

Practices & Patterns

Communication Patterns

Coordination Patterns

Data Synchronization

Shared-nothing Architectures

Distributed Locking

Compatibility Patterns

Dealing with Failure

Distributed Tracing

Concluding this Course

Public-Key Infrastructure (PKI)

Certificates

X.509 certificate

Certificate issuance

Certificate chain