These two article by Microsoft provide information on certificates and security measures as they apply to public key encryption used by modern systems. What stuck out to me is, though the CA certificate system is certainly effective at correctly signing and ensuring consistency across public keys, how might these systems themselves be compromised? An example I can think of is, hypothetically, could the Certificate Authority that directly issues the certificates be compromised by something like a MITM attack or directly accessed and overridden to provide certificates that an attacker was able to see or manipulate for their own purposes? As we go deeper into this topic I’ll be curious to see how they secure the security, as in who watches the watchmen?
You bring up an excellent point on the potential points of exploit in a PKI. There have been some issues where rogue/threat actors have accessed Certificate Authorities and have issued fake certificates for furthering other malicious actors. A recent example of this was in 2017 when Andrew Ayer discovered that Symantec had issued over 100 certificates without proper validation. An investigation into the cause showed other illegal actions being conducted by Symantec regarding certificate issuance.
Both articles detail how public key infrastructure (PKI) and X.509 public key certificates are used and provides scenarios about how they are used. PKI is the common method of securing data transfers. It is astounding the work behinds the scenes that it takes to secure data transmissions. For me the thing that stood out to me are the multiple links at the end of the article that takes other related articles that discuss other elements of PKI. Another key item I liked learning about are the elements of a typical PKI and what their definitions. I see these links and resources that I can go back to later if I need to.
No doubt Erskine, the articles highlight PKI and X.509 certificates for securing data transfers, emphasizing the complexity and importance of behind-the-scenes work. Notably, the plethora of linked resources offers valuable insights into PKI elements and related topics, providing a rich source for future reference and learning.
Public Key Infrastructure (PKI) and X.509 Public Key Certificates play integral roles in securing digital communications and transactions. PKI provides a framework for managing cryptographic keys and digital certificates, facilitating secure authentication, encryption, and data integrity verification over insecure networks like the internet.
X.509 certificates, a key component of PKI, serve as digital identities for entities such as websites, individuals, or devices. These certificates bind a public key to an identity and are issued by trusted Certificate Authorities (CAs). By verifying the CA’s digital signature on the certificate, users can trust the associated public key, enabling secure communication with the entity.
PKI and X.509 certificates enable critical security features like SSL/TLS encryption for secure web browsing, secure email communication, and digital signatures for document integrity. However, challenges such as certificate management, trust establishment, and vulnerabilities in certificate issuance processes underscore the importance of robust PKI governance and adherence to best practices in certificate lifecycle management.
Ikenna, I agree that Public Key Infrastructure (PKI) and X.509 certificates are essential for securing digital communications. PKI offers a robust framework for key and certificate management, ensuring secure transactions over the web. X.509 certificates, similar to digital passports, establish trust between entities by linking public keys with identities through trusted Certificate Authorities. This infrastructure forms the basis for SSL/TLS encryption, secure email, and digital signatures, enhancing web security and integrity. However, managing this system’s complexities and potential vulnerabilities highlights the need for diligent governance and best practices in certificate management.
Currently, I am working on a project to migrate our traditional “on-prem” PKI system to a SAAS solution in the cloud. PKI infrastructures can be highly intricate, so dealing with the migration has been slow and tedious to ensure that we do not bring down any mission-critical systems.
Ikenna, Your brief overview provides a clear understanding of the roles of Public Key Infrastructure (PKI) and X.509 certificates in securing digital communications. You effectively highlight the framework PKI provides for managing cryptographic keys and certificates, emphasizing their role in secure authentication, encryption, and data integrity verification over insecure networks.
The mention of X.509 certificates as digital identities, bound to public keys and issued by trusted Certificate Authorities (CAs), succinctly captures their significance in establishing trust and enabling secure communication. Your examples of SSL/TLS encryption for web browsing, secure email communication, and digital signatures for document integrity add practical context to the importance of PKI and X.509 certificates.
The acknowledgment of challenges, such as certificate management and vulnerabilities in issuance processes, underscores the need for robust PKI governance and adherence to best practices in certificate lifecycle management. Overall, your response provides a comprehensive overview of these crucial components in digital security.
In my understanding, Public Key Infrastructure (PKI) and X.509 Public Key Certificates:
Public Key Infrastructure (PKI):
PKI is a framework that manages digital keys and certificates for secure communication.
It provides services like authentication, confidentiality, and integrity.
Key components of PKI include:
Certificate Authorities (CAs): Entities that issue and manage digital certificates.
Registration Authorities (RAs): Verify user identities before issuing certificates.
Certificate Revocation Lists (CRLs): Maintain lists of revoked certificates.
Public and Private Keys: Used for encryption, decryption, and digital signatures.
X.509 Public Key Certificates:
An X.509 certificate adheres to the widely accepted ITU-T X.509 standard.
It defines the format for PKI certificates used in internet communications and networking.
Key points about X.509 certificates:
Digital Identity: Binds a public key to an entity (person, computer, or organization).
Certification Authorities (CAs) issue X.509 certificates.
Certificate Fields: Contain information like the subject’s name, public key, validity period, and issuer.
Certificate Chains: Formed by linking certificates to establish trust.
Certificate Revocation: CRLs or Online Certificate Status Protocol (OCSP) verify if a certificate is still valid.
Public Key cryptography addresses a significant concern encountered with symmetric encryption, the necessity to safeguard the encryption key. In this approach, parties exchange public keys while keeping their private keys confidential, enabling them to decrypt messages. As the author mentioned one of the main issues with public key cryptography is the inability of the sender to verify that the public key used to encrypt the message is indeed from the intended recipient and not an eavesdropper and how the Certification Authorities (CAs) play a crucial role in mitigating this issue.
CA issues signed certificates, which are encrypted binary files that affirm the identity of the certificate subject and link that identity to the public key within the certificate. This mechanism aids in authenticating the identity of individuals involved in the communication process.
The importance of Certificate Authorities is the root of how PKI’s function and what makes sure that the whole infrastructure works as intended. CA’s establish trust between different systems on the internet through certificates and the whole verification process as well as maintain revocation lists which warns users about potential insecure or malicious connections to servers. Without CA’s, it would be significantly more difficult to verify connections across the entire internet.
Both articles explore the realm of PKI with a focus on the X.509 standard for public key certificates. The first article provides a comprehensive overview of PKI, emphasizing the importance of certificate signing by Certification Authorities to ensure the integrity and authenticity of public keys. It outlines the process of certificate issuance, emphasizing the role of CAs in verifying the identities of certificate subjects and binding public keys to their identities. Additionally, it describes the structure of X.509 certificates, highlighting key components such as the certificate version, serial number, issuer, validity period, and subject. Similarly, the second article delves into the X.509 standard for public key certificates, emphasizing its role in binding public keys to entities and providing a signed data structure for secure communication. It provides an example of the Abstract Syntax Notation One (ASN.1) syntax for the version 3 X.509 certificate, showing the structure and fields involved in certificate creation. Despite focusing on different aspects of PKI, both articles underscore the significance of X.509 certificates in establishing trust and enabling secure communication in modern networks. Finally, I found the most interesting part to be learning about X.509, because most articles online focus more on what the first article talks about, and not going into more detail.
What stood out for me in the scenario listed in the article is, what happens if your CA is compromised. Can someone infiltrate the CA and use it like ARP poisoning? I guess that will be my question for this week. Even though two people exchanging data etc. on a network has a private and public to send, encrypt then read etc. of a piece of data, all while the CA signs off on I feel that this may just give more than one way for a cybercriminal a way into your network or communication transmission. Overall PKI establishes a high level of confidentiality through strong data encryptions and a high level of confidence through authentication through digital signature and digital certificates.
I feel that there is a lot more to this, especially with the certificates,
Has anyone here set configures, managed etc. a KIP environment?
Jeff, you raised a good point, but I have never heard of any successful attempt in compromising the Certificate Authority. I will recommend this video for further clarification – https://www.youtube.com/watch?v=5OqgYSXWYQM
The Public Key Infrastructure document describes how public-key cryptography works for encryption and certificate signing/verification while the X.509 Public Key Certificates documents describes the X.509 standard for certificates as well as the data structure utilized that has evolved since 1998. One point of interest I took away from the articles was the breakdown of the components of the PKI. The Certification Authority is the root of trust that provides services to authenticate identities in a network. The Registration Authority issues certificates for specific uses certified by the CA. The Certificate Database has the certificate requests and issues/revokes certificates as well as stores requests on the CA or RA. The Certificate Store saves issued certificates as well as pending or rejected certificate requests on local computers. The Key Archival Server saves encrypted private keys for recovery purposes. The usage of these elements is what allows a PKI to function.
Public Key Infrastructure (PKI) is a system that ensures secure electronic transactions and communications over the Internet. It does this through the use of cryptographic keys and certificates. PKI involves creating, managing, distributing, and revocating digital certificates. These certificates authenticate the identity of entities and encrypt data. PKI includes components such as Certificate Authorities (CAs), which issue certificates, and Registration Authorities (RAs), which verify entity credentials before a certificate is issued. This infrastructure is critical for implementing security measures such as SSL/TLS for secure web browsing, secure email, and code signing.
You broke down this concept very effectively. I can see why this would need to be applied when browsing the web or sending emails back and forth. A question I have though is, how efficient would this be considered? would it be something that’s easy to bypass or something that requires skill? either way, I assume if anyone is able to bypass it, then it can’t be perfect. If this is the case, I wonder if anything new is being done to refine this.
Public key infrastructure enables users to encrypt and decrypt content while being relatively assured of each other’s genuine identities. It does this by using users’ private and public keys in conjunction with a certification authority, a trusted third party. The articles state that the following components make up a typical PKI: the Certificate Database, the Certificate Store, the Certification Authority, the Registration Authority, and the Key Archival Server. A Certificate Authority, Certificate Directory, and Key Recovery Server are common components of a Microsoft PKI.
Hi Samuel,
I agree with you regarding PKI. PKI supports secure communication by using both private and public keys in conjunction with a trusted third party to ensure secure communication.
Microsoft’s Public Key Infrastructure (PKI) encompasses the rules, guidelines, and software governing certificates that a trusted third party can use to establish the integrity and ownership of a public key. In practical terms, PKI refers to a framework comprising digital certificates, certificate authorities (which authenticate identities), and related repositories that validate the authenticity of parties in electronic transactions. Public key certificates are utilized for authentication and secure data transmission across the Internet and intranets. Certificates serve various purposes, including web user and server authentication, secure email via S/MIME, IP Security, SSL/TLS, and code signing.
Going off of these two articles, it seems to me like they follow the same principle, that being public key infrastructure and how it operates. This allows to users to communicate securely with each other while maintaining their private keys. I did find it a little confusing when the article talked about the certification authority and h0w it issues encrypted binary certificates to confirm the identity of the certificate subject then binds it to the public key in the certificate. I understand that it plays a part in the process, but it does seem complicated as its a multiple step process involving verification multiple times in different ways. It does mention at the end that it enables the user ensure that the public key was not tampered with or corrupted. I assume if I made this into a chart, it could be an easier concept to grasp.
I agree with you Asymmetric encryption ensures that the sender cannot deny sending a message.and I think that adds the complication making sure the sender is verified to avoid any Man in the Middle attacks.
Public-key cryptography uses a pair of mathematically related public and private keys for secure communication. The public key infrastructure addresses security concerns by employing a certification authority to issue digitally signed certificates, verifying the identity of the certificate subject and binding it to the public key. This process ensures the integrity of public keys, allowing secure communication between parties. As well as including what a typical Microsoft public key infrastructure includes such as certification authorities, certificate directory and key recovery server.
Public Key Infrastructure has three components which are certificate authority, certificate directory, and key recovery. Certificate Authority is responsible for validating the authenticity of users in a public key infrastructure. A certificate directory is a database that keeps digital certificates issued by Certificate Authorities within the public key infrastructure. Key recovery servers are helpful for organizations when there is a case of loss of keys.
Yes once the key is lost then the message cannot be decrypted, the organization must have a good system to properly manage their keys as it allows the company to streamline the entire life cycle of key management.
Hi Akintunde, I think you hit all the key points that PKI consists of: the Certificate Authority (CA), Certificate Directory, and Key Recovery. Simply, the CA validates user authenticity, the Certificate Directory stores digital certificates, and Key Recovery servers aid in key loss situations for organizational continuity.
Andrew Young says
These two article by Microsoft provide information on certificates and security measures as they apply to public key encryption used by modern systems. What stuck out to me is, though the CA certificate system is certainly effective at correctly signing and ensuring consistency across public keys, how might these systems themselves be compromised? An example I can think of is, hypothetically, could the Certificate Authority that directly issues the certificates be compromised by something like a MITM attack or directly accessed and overridden to provide certificates that an attacker was able to see or manipulate for their own purposes? As we go deeper into this topic I’ll be curious to see how they secure the security, as in who watches the watchmen?
Kenneth Saltisky says
Hi Andrew,
You bring up an excellent point on the potential points of exploit in a PKI. There have been some issues where rogue/threat actors have accessed Certificate Authorities and have issued fake certificates for furthering other malicious actors. A recent example of this was in 2017 when Andrew Ayer discovered that Symantec had issued over 100 certificates without proper validation. An investigation into the cause showed other illegal actions being conducted by Symantec regarding certificate issuance.
https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg05455.html
Erskine Payton says
Both articles detail how public key infrastructure (PKI) and X.509 public key certificates are used and provides scenarios about how they are used. PKI is the common method of securing data transfers. It is astounding the work behinds the scenes that it takes to secure data transmissions. For me the thing that stood out to me are the multiple links at the end of the article that takes other related articles that discuss other elements of PKI. Another key item I liked learning about are the elements of a typical PKI and what their definitions. I see these links and resources that I can go back to later if I need to.
Ikenna Alajemba says
No doubt Erskine, the articles highlight PKI and X.509 certificates for securing data transfers, emphasizing the complexity and importance of behind-the-scenes work. Notably, the plethora of linked resources offers valuable insights into PKI elements and related topics, providing a rich source for future reference and learning.
Ikenna Alajemba says
Public Key Infrastructure (PKI) and X.509 Public Key Certificates play integral roles in securing digital communications and transactions. PKI provides a framework for managing cryptographic keys and digital certificates, facilitating secure authentication, encryption, and data integrity verification over insecure networks like the internet.
X.509 certificates, a key component of PKI, serve as digital identities for entities such as websites, individuals, or devices. These certificates bind a public key to an identity and are issued by trusted Certificate Authorities (CAs). By verifying the CA’s digital signature on the certificate, users can trust the associated public key, enabling secure communication with the entity.
PKI and X.509 certificates enable critical security features like SSL/TLS encryption for secure web browsing, secure email communication, and digital signatures for document integrity. However, challenges such as certificate management, trust establishment, and vulnerabilities in certificate issuance processes underscore the importance of robust PKI governance and adherence to best practices in certificate lifecycle management.
Kelly Conger says
Ikenna, I agree that Public Key Infrastructure (PKI) and X.509 certificates are essential for securing digital communications. PKI offers a robust framework for key and certificate management, ensuring secure transactions over the web. X.509 certificates, similar to digital passports, establish trust between entities by linking public keys with identities through trusted Certificate Authorities. This infrastructure forms the basis for SSL/TLS encryption, secure email, and digital signatures, enhancing web security and integrity. However, managing this system’s complexities and potential vulnerabilities highlights the need for diligent governance and best practices in certificate management.
Currently, I am working on a project to migrate our traditional “on-prem” PKI system to a SAAS solution in the cloud. PKI infrastructures can be highly intricate, so dealing with the migration has been slow and tedious to ensure that we do not bring down any mission-critical systems.
Samuel Omotosho says
Ikenna, Your brief overview provides a clear understanding of the roles of Public Key Infrastructure (PKI) and X.509 certificates in securing digital communications. You effectively highlight the framework PKI provides for managing cryptographic keys and certificates, emphasizing their role in secure authentication, encryption, and data integrity verification over insecure networks.
The mention of X.509 certificates as digital identities, bound to public keys and issued by trusted Certificate Authorities (CAs), succinctly captures their significance in establishing trust and enabling secure communication. Your examples of SSL/TLS encryption for web browsing, secure email communication, and digital signatures for document integrity add practical context to the importance of PKI and X.509 certificates.
The acknowledgment of challenges, such as certificate management and vulnerabilities in issuance processes, underscores the need for robust PKI governance and adherence to best practices in certificate lifecycle management. Overall, your response provides a comprehensive overview of these crucial components in digital security.
Michael Obiukwu says
In my understanding, Public Key Infrastructure (PKI) and X.509 Public Key Certificates:
Public Key Infrastructure (PKI):
PKI is a framework that manages digital keys and certificates for secure communication.
It provides services like authentication, confidentiality, and integrity.
Key components of PKI include:
Certificate Authorities (CAs): Entities that issue and manage digital certificates.
Registration Authorities (RAs): Verify user identities before issuing certificates.
Certificate Revocation Lists (CRLs): Maintain lists of revoked certificates.
Public and Private Keys: Used for encryption, decryption, and digital signatures.
X.509 Public Key Certificates:
An X.509 certificate adheres to the widely accepted ITU-T X.509 standard.
It defines the format for PKI certificates used in internet communications and networking.
Key points about X.509 certificates:
Digital Identity: Binds a public key to an entity (person, computer, or organization).
Certification Authorities (CAs) issue X.509 certificates.
Certificate Fields: Contain information like the subject’s name, public key, validity period, and issuer.
Certificate Chains: Formed by linking certificates to establish trust.
Certificate Revocation: CRLs or Online Certificate Status Protocol (OCSP) verify if a certificate is still valid.
Mariam Hazali says
Public Key cryptography addresses a significant concern encountered with symmetric encryption, the necessity to safeguard the encryption key. In this approach, parties exchange public keys while keeping their private keys confidential, enabling them to decrypt messages. As the author mentioned one of the main issues with public key cryptography is the inability of the sender to verify that the public key used to encrypt the message is indeed from the intended recipient and not an eavesdropper and how the Certification Authorities (CAs) play a crucial role in mitigating this issue.
CA issues signed certificates, which are encrypted binary files that affirm the identity of the certificate subject and link that identity to the public key within the certificate. This mechanism aids in authenticating the identity of individuals involved in the communication process.
Kenneth Saltisky says
Hi Mariam,
The importance of Certificate Authorities is the root of how PKI’s function and what makes sure that the whole infrastructure works as intended. CA’s establish trust between different systems on the internet through certificates and the whole verification process as well as maintain revocation lists which warns users about potential insecure or malicious connections to servers. Without CA’s, it would be significantly more difficult to verify connections across the entire internet.
Nicholas Nirenberg says
Both articles explore the realm of PKI with a focus on the X.509 standard for public key certificates. The first article provides a comprehensive overview of PKI, emphasizing the importance of certificate signing by Certification Authorities to ensure the integrity and authenticity of public keys. It outlines the process of certificate issuance, emphasizing the role of CAs in verifying the identities of certificate subjects and binding public keys to their identities. Additionally, it describes the structure of X.509 certificates, highlighting key components such as the certificate version, serial number, issuer, validity period, and subject. Similarly, the second article delves into the X.509 standard for public key certificates, emphasizing its role in binding public keys to entities and providing a signed data structure for secure communication. It provides an example of the Abstract Syntax Notation One (ASN.1) syntax for the version 3 X.509 certificate, showing the structure and fields involved in certificate creation. Despite focusing on different aspects of PKI, both articles underscore the significance of X.509 certificates in establishing trust and enabling secure communication in modern networks. Finally, I found the most interesting part to be learning about X.509, because most articles online focus more on what the first article talks about, and not going into more detail.
Jeffrey Sullivan says
What stood out for me in the scenario listed in the article is, what happens if your CA is compromised. Can someone infiltrate the CA and use it like ARP poisoning? I guess that will be my question for this week. Even though two people exchanging data etc. on a network has a private and public to send, encrypt then read etc. of a piece of data, all while the CA signs off on I feel that this may just give more than one way for a cybercriminal a way into your network or communication transmission. Overall PKI establishes a high level of confidentiality through strong data encryptions and a high level of confidence through authentication through digital signature and digital certificates.
I feel that there is a lot more to this, especially with the certificates,
Has anyone here set configures, managed etc. a KIP environment?
Chidiebere Okafor says
Jeff, you raised a good point, but I have never heard of any successful attempt in compromising the Certificate Authority. I will recommend this video for further clarification – https://www.youtube.com/watch?v=5OqgYSXWYQM
Jeffrey Sullivan says
Going to check this out ,thanks!
Kenneth Saltisky says
The Public Key Infrastructure document describes how public-key cryptography works for encryption and certificate signing/verification while the X.509 Public Key Certificates documents describes the X.509 standard for certificates as well as the data structure utilized that has evolved since 1998. One point of interest I took away from the articles was the breakdown of the components of the PKI. The Certification Authority is the root of trust that provides services to authenticate identities in a network. The Registration Authority issues certificates for specific uses certified by the CA. The Certificate Database has the certificate requests and issues/revokes certificates as well as stores requests on the CA or RA. The Certificate Store saves issued certificates as well as pending or rejected certificate requests on local computers. The Key Archival Server saves encrypted private keys for recovery purposes. The usage of these elements is what allows a PKI to function.
Kelly Conger says
Public Key Infrastructure (PKI) is a system that ensures secure electronic transactions and communications over the Internet. It does this through the use of cryptographic keys and certificates. PKI involves creating, managing, distributing, and revocating digital certificates. These certificates authenticate the identity of entities and encrypt data. PKI includes components such as Certificate Authorities (CAs), which issue certificates, and Registration Authorities (RAs), which verify entity credentials before a certificate is issued. This infrastructure is critical for implementing security measures such as SSL/TLS for secure web browsing, secure email, and code signing.
Hashem Alsharif says
Hello Kelly,
You broke down this concept very effectively. I can see why this would need to be applied when browsing the web or sending emails back and forth. A question I have though is, how efficient would this be considered? would it be something that’s easy to bypass or something that requires skill? either way, I assume if anyone is able to bypass it, then it can’t be perfect. If this is the case, I wonder if anything new is being done to refine this.
Samuel Omotosho says
Public key infrastructure enables users to encrypt and decrypt content while being relatively assured of each other’s genuine identities. It does this by using users’ private and public keys in conjunction with a certification authority, a trusted third party. The articles state that the following components make up a typical PKI: the Certificate Database, the Certificate Store, the Certification Authority, the Registration Authority, and the Key Archival Server. A Certificate Authority, Certificate Directory, and Key Recovery Server are common components of a Microsoft PKI.
Akintunde Akinmusire says
Hi Samuel,
I agree with you regarding PKI. PKI supports secure communication by using both private and public keys in conjunction with a trusted third party to ensure secure communication.
Chidiebere Okafor says
Microsoft’s Public Key Infrastructure (PKI) encompasses the rules, guidelines, and software governing certificates that a trusted third party can use to establish the integrity and ownership of a public key. In practical terms, PKI refers to a framework comprising digital certificates, certificate authorities (which authenticate identities), and related repositories that validate the authenticity of parties in electronic transactions. Public key certificates are utilized for authentication and secure data transmission across the Internet and intranets. Certificates serve various purposes, including web user and server authentication, secure email via S/MIME, IP Security, SSL/TLS, and code signing.
Hashem Alsharif says
Going off of these two articles, it seems to me like they follow the same principle, that being public key infrastructure and how it operates. This allows to users to communicate securely with each other while maintaining their private keys. I did find it a little confusing when the article talked about the certification authority and h0w it issues encrypted binary certificates to confirm the identity of the certificate subject then binds it to the public key in the certificate. I understand that it plays a part in the process, but it does seem complicated as its a multiple step process involving verification multiple times in different ways. It does mention at the end that it enables the user ensure that the public key was not tampered with or corrupted. I assume if I made this into a chart, it could be an easier concept to grasp.
Mariam Hazali says
I agree with you Asymmetric encryption ensures that the sender cannot deny sending a message.and I think that adds the complication making sure the sender is verified to avoid any Man in the Middle attacks.
Alex Ruiz says
Public-key cryptography uses a pair of mathematically related public and private keys for secure communication. The public key infrastructure addresses security concerns by employing a certification authority to issue digitally signed certificates, verifying the identity of the certificate subject and binding it to the public key. This process ensures the integrity of public keys, allowing secure communication between parties. As well as including what a typical Microsoft public key infrastructure includes such as certification authorities, certificate directory and key recovery server.
Akintunde Akinmusire says
Public Key Infrastructure has three components which are certificate authority, certificate directory, and key recovery. Certificate Authority is responsible for validating the authenticity of users in a public key infrastructure. A certificate directory is a database that keeps digital certificates issued by Certificate Authorities within the public key infrastructure. Key recovery servers are helpful for organizations when there is a case of loss of keys.
Mariam Hazali says
Yes once the key is lost then the message cannot be decrypted, the organization must have a good system to properly manage their keys as it allows the company to streamline the entire life cycle of key management.
Nicholas Nirenberg says
Hi Akintunde, I think you hit all the key points that PKI consists of: the Certificate Authority (CA), Certificate Directory, and Key Recovery. Simply, the CA validates user authenticity, the Certificate Directory stores digital certificates, and Key Recovery servers aid in key loss situations for organizational continuity.