Understanding PKI Certificate Recovery Options

At its most basic point of consideration, the PKI or Public Key Infrastructure is designed to ensure full trust across a network. This is more specific than Secure Sockets Layer (SSL) certificates that provide trust and validation for a website. However, the PKI certificates use the same type of technology including the use of both public and private keys to encrypt and decrypt data being transmitted.

The second component of Public Key Infrastructure, which is different from an SSL/TLS certificate for a domain or subdomain, is that it is used to supply a digital signature to an email. This authenticates the sender and also verifies, to the receiver, that the email and any attached documents have not been altered during transmission.

This is critical for both businesses and individuals who are sending information online. For the sender, it provides the ability to ensure the information they sent is just what the receiver sees and to also provide protection there was some form of alteration. This is very important for legal contracts and documents transmitted online to protect both the sender and the receiver.

For the receiver, the use of Public Key Infrastructure also provides the same protection. He or she is assured the information they receive is unaltered after it was digitally signed by the sender. This also prevents there from being any question as to who actually sent the email as the digital signature is unique to that one certificate and one user.

The Trust Factor

For a PKI certificate to be accepted and recognized it has to be from a trusted source. At Comodo, we are the leading Trust Provider worldwide, providing PKI certificates to individuals, organizations and businesses of all sizes.

To provide a PKI certificate a Certificate Authority, such as Comodo, has to verify the individual is authenticated. As the CA, the other users recognizing the PKI certificate trust the CA as the entity to provide this level of authentication.

This trust is done by the CA verifying the user has a specific name this called a DN or distinguished name. It is unique to one user. It can be an employee number or any other unique identify. The CA also provides a public key that allows for encrypting and verification depending on the requirements.

Each of the PKI certificates generated and installed by the CA also has an expiration date and an effective date. This is known as the lifecycle or lifetime of the certificate.

Recovery Issues

In some cases, a user may lose the decryption key. This is most often the case when a user forgets the password used when they were providing the information to the Certificate Authority.

For PKI certificate recovery to occur the business or the individual should always make a backup copy of the key. Keep in mind, once the certificate is generated it is automatically installed on the device. This also means that if the device is lost, stolen or damaged everything would be lost if there was not the option for some type of PKI certificate recovery.

To prevent problems with PKI certificate recovery, any business can have a complete backup of the decryption key for each of the users on the system. Be very careful, this is only a copy of the keys used for decryption, not for signing. Copies of keys for signing digitally should not be maintained as this will compromise the enter PKI trust should the file be accessed or breached.

The added advantage in PKI certificate recovery is that if the signing key is lost or not accessible or if there is some type of breach of security, the CA can revoke the certificate. This is not the same as PKI certificate recovery, but it will allow for the certificate to be removed and replaced with a certificate that has not been compromised or is believed to have possibility been compromised.

This is also one of the reasons why the CA only provides the certificate for a given lifecycle. By having new sets of keys in a structured time, there is less concern about a breach or a compromise of the system going unnoticed for extended periods of time.

Using a PKI management system will allow for the backups of the correct keys. This is not something that each individual user will complete on his or her own. This same system will also provide the regular and automatic updating of the key pairs.

To learn more about PKI certificate recovery, talk to our sales staff at Comodo. We are reachable by phone at +1 888 266 6361, or get in touch with us online at https://www.instantssl.com.

Related Articles
Back to TOP