← Week 1: Cryptographic Foundations

Day 5: PKI Concepts Overview

Phase 1 · May 18, 2026

← Week 1: Cryptographic Foundations

Agenda (2–3 hours)

  • Read (60 min): smallstep.com/blog/everything-pki (comprehensive, free); OR "Bulletproof TLS and PKI" Ch. 1–2
  • Study (45 min): CA trust model, trust stores, chain structure
  • Practice (45 min): Inspect real certificate chains in browser and openssl
  • Challenge (30 min): Written threat analysis
← Week 1: Cryptographic Foundations

The Core Problem PKI Solves

You want to connect to api.amazon.com. You get a public key.
How do you know that key belongs to Amazon and not an attacker?

Without PKI: you can't.

PKI answer: a Certificate Authority (CA) signs a binding between
"this public key" and "this domain name." Your OS/browser trusts a set of root CAs.
If the cert chains up to a trusted root, the binding is trusted.

This is a web of trust by delegation, not direct verification.

← Week 1: Cryptographic Foundations

Certificate Chain Structure

Root CA Certificate          (self-signed, in your trust store)
   └── Intermediate CA Cert  (signed by Root)
         └── End-Entity Cert (signed by Intermediate, e.g. api.amazon.com)

Why intermediates?

  • Root key stays offline (air-gapped) — never exposed to network
  • Intermediate key is online but its compromise is limited to its subtree
  • Root can revoke a compromised intermediate
← Week 1: Cryptographic Foundations

Trust Stores

Where does your machine decide which roots to trust?

Platform Trust Store
Linux /etc/ssl/certs/, ca-certificates package
macOS Keychain (System Roots)
Windows Certificate Store (MMC)
Firefox Bundled Mozilla NSS store
Chrome/Edge OS trust store

openssl s_client uses the system trust store by default.
You can specify a custom CA with -CAfile ca.pem.

← Week 1: Cryptographic Foundations

Practice Exercise

# Inspect amazon.com's full certificate chain
openssl s_client -connect amazon.com:443 -showcerts 2>/dev/null \
  | openssl x509 -noout -text | head -40

# Show just the chain depth and issuers
openssl s_client -connect amazon.com:443 2>/dev/null \
  | grep -E "^(depth|verify|subject|issuer)"

Also open amazon.com in a browser, click the padlock → certificate details.
Find: root CA name, intermediate CA name, leaf cert SANs.

← Week 1: Cryptographic Foundations

Challenge Assignment

Write 3–4 paragraphs answering:

What happens if a trusted root CA's private key is compromised?

Cover:

  1. Which certificates are affected, and why
  2. What an attacker can do with the key (hint: MITM, forged certs)
  3. What mitigations exist: CRL/OCSP, certificate pinning, CT logs, browser emergency response
  4. A real-world example (DigiNotar 2011 — look it up)

This is the foundational threat model for the work your team does.

← Week 1: Cryptographic Foundations

Resources

  • smallstep.com/blog/everything-pki — excellent free overview
  • Mozilla Root Store Policy: wiki.mozilla.org/CA
  • DigiNotar incident postmortem (search "DigiNotar 2011")
  • RFC 5280 §3: Certificate overview (just skim today — you'll go deep in Week 4)