I really appreciate the feedback, Raki. Greetings to you in Indonesia! I never imagined that my videos would reach so far around the world. It was a heartwarming greeting from you.

Thank you for your kind words, Erick. I’m very glad you liked the presentation and appreciate you taking the time to comment.

I’m glad you liked it. Thanks for the feedback.

Glad you liked it, Joost. I’m hoping to get another video done in a few weeks.

SkillexeD, I'm really glad you like it. That means a lot to me. Thanks.

wrg

You put a big smile on my face, Ranjan. Thanks for your comment.

Wow! Thank you very much for the feedback.

I’m very glad you liked it, Mark. Thanks for the positive feedback!

Thank you very much, Yanick.

Thanks for the kind comment, Salakh. I really appreciate it.

Good luck on your CISSP, John. I’m glad you found it helpful. Thanks for the feedback.

Thank you for the feedback, Afnaan. I’m glad it makes sense.

Thank you very much for the positive feedback, Alethea. I really appreciate it!

I'm very glad to hear that, Arkadeep. Thank you for the feedback.

I’m so glad to hear that, Ajay. I appreciate you taking the time to comment.

Well, I guess if we’re going to have a Hawaiian soul (reference to your great screen name), we definitely don’t want to rush it ;-). Thanks a bunch for the kind feedback.

Paul, you put a big smile on my face when I read your note. I apologize for being slow in responding. I'm glad the video was helpful!

Hey, Aaron. Great to hear from you. Coming from a person who could teach the topic much better than me, that means a lot.

Thank you for taking the time to send me a comment, Felipe. I'm glad you found it helpful.

Todd, thanks for taking the time to give your feedback. I really appreciate it.

You are very welcome, Josh. I hope it was helpful.

Thank you for taking the time to leave a comment, Naresh. I’m glad it was helpful.

Thank you very much for your feedback, Jason!

Haha. I’m not sure how to take that. I hadn’t been shooting for fiction on the videos but must have made quite an impression with my delivery to inspire your sci-fi writing 😃

Where can I read your sci-fi novel ?

Thank you for taking the time to give me your feedback. I’m really happy to hear it was helpful.

Thank you for your enthusiastic feedback. Comments like this make my day, Mason.

Thank you very much for the feedback, Shashank. I really appreciate it. I’m glad it was helpful.

@@PaulTurnerChannel was searching this topic for the first time and glad I landed directly on this. you explained the entire architecture very well. Thanks again. stay safe.

Could you probably recommend some sources/books/papers/articles? You made me curious, i'd love to read more about it

Thank you very much for the feedback, Mathias. I wish I could point you to something I've read but I started in PKI a long time ago and, having learn most of what I know on the job, haven't kept up with book much. However, I can strongly recommend you looking at Ivan Ristic's book "Bulletproof SSL and TLS". He's very knowledgeable in this space. I also believe there is some other guidance that will be coming out soon and will give you a heads up when it hits the street.

@@PaulTurnerChannel t Thank you Paul!

Thank you for the feedback, Lokesh. I’m glad it was understandable.

Mecca, I’m so glad you found the video helpful. Good luck on your exam. I’m sure you will do great.

Doudi, you put a big smile on my face with your greeting. Though the internet is clearly global, I frankly never anticipated that the videos I was creating would be viewed from so many different continents and countries. I’m glad you found the video helpful. Thank you so much for reaching out from half way around the world ;-)

Hi, Rachell. Thanks for pointing that out. This is an older video and I didn’t include OCSP stapling. It has become much more widely used. I appreciate you bringing it up.

Thank you, Abhishek.

Thank you, Sanskar.

:-) Merci pour votre note. Ça m'a fait un grand sourire. Vive la France!

Thank you, BTC. I appreciate you taking the time to comment. Glad it was helpful.

Thank you for taking the time to leave a comment, Paul!

Hi, Daniel. Sorry for the slow response. Your internal PKI infrastructure should have an issuing CA. That is where you want to issue the EAP-TLS Cert from. If you only have a root CA, you should strongly consider setting up a new issuing CA (and possibly a new root, since the existing root would have gotten lots of exposure if it was issuing end entity certs (e.g., TLS certs)). I hope this helps.

Vitor, let me look into this. Those slides are technically owned by Venafi, the company I used to work for. I'll check with them. It may take me a bit to get back to you. I appreciate the feedback.

Hi, Thomas. Thanks for your question. You cannot determine the RA from the certificate unless the CA chooses to add a proprietary extension (I'm not aware of any standard extensions that list the RA but may have missed it). From the certificate, you can determine the certificate authority (CA), the CRL distribution point (CDP), OCSP responder location, and the location where the CA chain can be retrieved (CA Issuers). I hope this helps. I'm curious. Why would you want to determine the RA from the certificate as a relying party? I'm not sure what a VA is. Again, I may have missed that term in my travels so feel free to enlighten me. Thanks a bunch for the question

I appreciate you saying that, Prakash. Can you clarify your question about browser (client) vs server certificates? Are you asking about when client certificates should be used or some other aspect? Thanks for your question. Sorry for not understanding it.

@@PaulTurnerChannel thanks for your reply.. I was referring to sever to server vs browser to server communication .. behavioural difference between these two type of communication... though I really appreciate ur reply.. Thanks

Prakash, your question is a little broad so I'm not sure I'll be answering what you're inquiring about. With respect to server-to-server (S2S) vs. browser-to-server (B2S), there are no differences in the TLS protocol or the TLS server certificates used in both cases. The primary difference I see between the two is how they will respond to errors. For example, with S2S, the server acting as a client will shutdown the TLS connection and log an error if an expired certificate or name mismatch is encountered. The application served by the S2S communications will stop operating at that point. With B2S, the browser will display an error for the user when an expired certificate is encountered. The user is free to make a choice on how they respond (click through or abandon). The browser manufacturers have made their errors more stern and difficult to dismiss so users are less likely to click through the error but it is not impossible. If they don't click through, they will likely try to contact support for the application (since they can't get to it). The reason I raise this difference (again, not knowing if this is what you were looking for) is that the situation is subtly but importantly different between the two. In the S2S case, someone has to dig through log files to figure out why the application stopped working. In the B2S case, it is pretty clear from the error messages displayed in the browser what happened (especially, if the support person tries to connect to the server and they get the error message). I've heard of organizations troubleshooting S2S expired certificate issues for several hours before they figure out what happened. If there are multiple clustered systems acting as servers and there is only an expired certificate on one (e.g., the others were updated), this can make it even more difficult to troubleshoot because you have a load balancer spreading clients across the clustered servers and it only fails intermittently. As I write this, I realize I'm probably way off from what you were interested in. If so, can you please restate your question? It doesn't appear that you were asking about client TLS certs and the difference between servers acting as clients and browsers. I'm sorry if I'm being slow on this.

@@PaulTurnerChannel thanks!! for the detailed explanation.. that pretty much explained my question..🙂

I’m glad it was helpful, Costin. Thank you for the feedback.

Hi, Val. Good question. If you have the CA centrally generate the key pair, the user will provide their information for inclusion in the certificate and the CA will generate the key pair (public and private key), issue a certificate containing the public key, and provide the private key and certificate for download by the user. The private key should be protected by a password when downloaded. In most cases, the private key and password will be provided in PEM or PKCS#12 format (file format of the keystore). Generally, you don't want to have a public CA creating key pairs for you unless you're leveraging the CA as a key escrow/backup service (which only makes sense for things such as email encryption, where you don't want to risk losing all copies of your private key). With decentralized key generation, the user generates the key pair along with a CSR (which contains the public key). They submit the CSR to the CA. The CA uses the information within the CSR and whatever other information they choose to issue a certificate. The CA returns the certificate back to the user. The user installs certificate and private key in the needed location for the application that will use the them for both centralized and decentralized. I hope this helps.

You are awesome!

Thanks Paul, explained really well. I keep coming back to your videos for references.

Hi, Mike. Sorry for the slow response. There are a variety of good PKI consulting organizations out there. You might talk with Encryption Consulting (www.encryptionconsulting.com) or Komar Consulting (www.komarconsulting.com). Brian Komar also has written several papers and books. I hope that helps.

@@PaulTurnerChannel Never mind. I am glad, that you took your time to respond. Would you mind, if I message you on youtube? I need a couple of tipps for my current project if you do not mind

No problem, Mike. My primary expertise is in the cert and key mgmt of PKI. There many others better than me at CA deployment and mgmt.

@@PaulTurnerChannel can I have your E-Mail Address? I cannot find any way to communicate with you. I posted my E-Mail here in a comment but it got deleted somehow

@@Mike-kq5yc Sorry for the slow response. Please connect with me on Linkedin at www.linkedin.com/in/equio/.

Hi, JD. I use PowerPoint to create the graphics and animations. Thanks a bunch for you feedback. I’m glad you liked it.

Thank you for taking the time to comment, Houssem.

I appreciate the feedback. I have to say that I didn’t expect that particular video to be as well received and helpful as it appears to be. I’m glad it is helpful!

@@PaulTurnerChannel No problem. I learn a lot from KZbin and this was great. If I may ask a follow-up question (since you responded so quickly). I'm also trying to learn about HSM's and my main/basic question is: Can an HSM be a CA as well or are they traditionally/always separate systems?

A CA would use an HSM to secure its signing key but you would likely not want an HSM to BE a CA. The reason is that HSMs must conform to a standard called FIPS 140, which is very restrictive and requires retesting for certification when changes are made to the internal code. HSMs typically perform a limited number of functions (key gen, signing, etc.) and therefore have a smaller code base and don’t require frequent changes/updates. On the other hand, CAs typically have large amounts of code and need updating frequently with new functionality to respond to changing market needs. The size of CA code would significantly extend testing/certification times and the retesting for certification would slow down the ability to get new features out. Consequently, most CAs have not been built into HSMs and instead use them as a security resource to protect their signing keys. Hope this makes sense.

@@PaulTurnerChannel Perfect. Much appreciated!!!!!

Thanks for the feedback, Junaid. The slides were created with PowerPoint.

@@PaulTurnerChannel Thanks for your prompt response. Do you supervise students? How can I reach you privately?

Hi, Junaid. You ca. contact me on LinkedIn with my name and Epuio.

@@PaulTurnerChannel thank you so much, sure I will get in touch with you soon.

Thank you for the feedback. I’m glad you liked it.

I’m very happy to hear it was helpful, Chandu!

Thanks for the feedback. I appreciate it.

Thank you very much for the feedback, Lee. I’m glad it was helpful b

Hi, Gilad. Yes, DDOS is a risk with OCSP.

Hi, Prashanth. Good catch. It sounds like I say "root" certificate there (before I even introduce the concept of a root certificate). Yes, I meant to say they provide their own certificate, which is a public key certificate. Thank you for catching that!

@@PaulTurnerChannel Paul, I seriously love your videos and I hope you make more videos where you take complex topics and break them down like this. Thank you x 100. I was just making sure I understood it right. I don't mean to point mistakes. I hope you have a fantastic day!

@@PaulTurnerChannel Your videos will be here forever and help countless folks! Thank you again.

I guess we’d need a time machine for that MillerTheGreat ;-). Sorry that you didn’t find it before the test. Hope it was helpful nonetheless.

I’m sorry you found it confusing, TD. The portion about Sally is not meant to imply she is requesting a website. She knows she wants to use that particular website and wants to do so securely. The rest of the video explains how the PKI system was designed to support that secure communication. Again, I’m sorry you found the video confusing. I hope you’re able to find information that is helpful to you.

Marco, I have to confess that I don't understand your question. I have never heard PKI (public key infrastructure) referred to as KPI so I would have to reply that they're not the same. The only time I've heard of KPI for "key performance indicators". That is definitely not the focus of this presentation.

@@PaulTurnerChannel Is the pki related to excel power pivot?

Hi, Marco. No. This presentation is not about Power Pivot in Excel. I hope you find a good resource to help you on that topic. Good luck.

@@PaulTurnerChannel Is mayonnaise an instrument?

Thank you!

In the case you’re mentioning, the attacker would need to steal the private key that matches the certificate (typically installed on the server to which the certificate is assigned). Then they would need to redirect traffic to come to their server instead of the legitimate server. Please see my response to your question about MITM for additional background. I hope this helps.

Hi, Dita. I don’t have any experience with SignServer. Are you having trouble with the documentation? Have you tried reaching out to someone on the user forum sourceforge.net/projects/signserver/support ?

Sorry, Swagata. That was one of my early videos when I didn’t have a good microphone.

Hi, Silver. I’m confused by your comment. Many operating systems and other software/hardware come preloaded with root certs. Can you clarify?

@@PaulTurnerChannel Hi Paul, they are putting "root certificates" in the software/hardware not "certificate authorities", the certificate authorities are organizations

Ah. You are correct. I didn’t realize I had said that in the video. Good catch.

Sorry, Generic Rocker. This was one of my early videos before I understood the importance of a good microphone. Hopefully, some of my later videos have better sound quality. Thanks for pointing it out. All the best.

:-). And all this time I thought it stood for public key infrastructure. I stand corrected. On a serious note, I was not aware of the existence of the PKI in Indonesia. Thank you for broadening my horizons.

BP U PKI

Hello, Sharifah. I wasn’t aware of the PKI in Indonesia. I’m sorry for the overlap. I didn’t pick the name “public key infrastructure”, which results in “PKI” and is a broadly used term in the technology industry. This video is to help technologists understand that technology. I wish you all the best.

Thank you for your expressions of appreciation for several videos. I’m very happy you find them useful.