Certificate Management and PKI
Overview
Digital certificates form the backbone of secure communications, identity verification, and encryption across modern networks. This comprehensive guide covers certificate management principles, Public Key Infrastructure (PKI) concepts, implementation practices, and practical techniques for creating and managing certificates in various environments.
Table of Contents
- Certificate Fundamentals
- Public Key Infrastructure (PKI)
- Certificate Types and Use Cases
- Certificate Lifecycle Management
- PowerShell Certificate Management
- Troubleshooting
- Best Practices
- OpenSSL Guide
- Self-Signed Certificates
Certificate Fundamentals
What are Digital Certificates?
Digital certificates are cryptographic files that use asymmetric cryptography to establish identity and enable secure communications. They bind a public key to an entity (organization, device, or individual) and are validated by a trusted Certificate Authority (CA).
Key Certificate Components
- Subject: Entity the certificate identifies (person, server, device)
- Subject Alternative Name (SAN): Additional identities covered by the certificate
- Public Key: Used for encryption and signature verification
- Digital Signature: CA's cryptographic validation of the certificate
- Issuer: The CA that issued and signed the certificate
- Validity Period: Start and end dates defining the certificate's lifetime
- Serial Number: Unique identifier assigned by the issuing CA
- Certificate Policies: Constraints and permitted uses
- Key Usage and Extended Key Usage: Defines permitted operations
- CRL Distribution Points: Where to check for certificate revocation
Cryptographic Foundations
- Asymmetric Encryption: Public/private key pairs
- Digital Signatures: Mathematical proof of authenticity
- Hash Functions: One-way functions creating fixed-size outputs
- Certificate Chain Validation: Trust path from end-entity to root certificate
Public Key Infrastructure (PKI)
PKI Components
- Certificate Authorities (CAs): Entities that issue certificates
- Root CAs: Self-signed certificates at the top of the trust hierarchy
- Intermediate CAs: Bridge between root CAs and end-entity certificates
- Issuing CAs: Directly issue certificates to end entities
- Registration Authorities (RAs): Verify requestor identities
- Certificate Repositories: Storage for issued certificates
- Certificate Revocation Systems: Mechanisms to invalidate certificates
- Certificate Revocation Lists (CRLs): Lists of revoked certificates
- Online Certificate Status Protocol (OCSP): Real-time certificate validation
Trust Models
- Hierarchical Trust: Centralized model with a root CA
- Web of Trust: Decentralized peer-to-peer trust (e.g., PGP)
- Bridge CA: Connects multiple hierarchical PKIs
- Cross-Certification: Trust relationships between separate PKIs
Certificate Types and Use Cases
SSL/TLS Certificates
- Domain Validated (DV): Basic verification of domain control
- Organization Validated (OV): Includes verified organizational information
- Extended Validation (EV): Highest level of validation with strict identity verification
- Wildcard Certificates: Cover multiple subdomains (
*.example.com) - Multi-Domain (SAN) Certificates: Cover multiple distinct domains in one certificate
Code Signing Certificates
- Standard Code Signing: Verifies software publisher identity
- Extended Validation (EV) Code Signing: Higher trust level for software distribution
- Kernel Mode Code Signing: Required for drivers on modern Windows systems
- Microsoft Authenticode: Specific format for Windows executables
Authentication and Identity Certificates
- User Authentication: For user login and identification
- Client Authentication: For device authentication to services
- S/MIME Certificates: For email encryption and signing
- Smart Card Certificates: For physical authentication tokens
- VPN Authentication: For secure remote access
Certificate Lifecycle Management
Planning and Procurement
Requirements Analysis
- Identifying security needs and use cases
- Determining key lengths and algorithms
- Selecting appropriate certificate types
- Setting validity periods
CA Selection Strategy
- Public vs. private CA considerations
- Commercial CA evaluation criteria
- Internal CA infrastructure planning
Certificate Request Generation
- Creating Certificate Signing Requests (CSRs)
- Key pair generation best practices
- Subject and SAN configuration
Validation and Issuance Process
- Domain control validation methods
- Organization verification procedures
- Certificate request approval workflows
Deployment and Implementation
Certificate Installation
- Web server configuration (IIS, Apache, Nginx)
- Application server integration
- Load balancer deployment
- Client device installation
Trust Configuration
- Root certificate distribution
- Trust store management
- Certificate pinning implementation
- CA constraint enforcement
Testing and Validation
- Chain validation verification
- SSL/TLS configuration testing
- Compatibility testing across clients
- Security scanning and assessment
Monitoring and Maintenance
Certificate Inventory Management
- Comprehensive certificate tracking
- Metadata and attribution recording
- Dependency mapping
- Centralized inventory systems
Expiration Management
- Automated expiration monitoring
- Renewal scheduling and workflows
- Grace period policies
- Impact assessment procedures
Revocation Management
- Revocation triggers and policies
- CRL generation and distribution
- OCSP responder configuration
- Revocation checking enforcement
Audit and Compliance
- Certificate usage auditing
- Compliance validation
- Cryptographic standards enforcement
- Policy adherence verification
PowerShell Certificate Management
Certificate Store Operations
<#
.SYNOPSIS
Gets certificates from the local certificate store.
.DESCRIPTION
Retrieves certificates from specified store locations with optional filtering.
.PARAMETER StoreLocation
The certificate store location (CurrentUser or LocalMachine).
.PARAMETER StoreName
The name of the certificate store to query.
.EXAMPLE
Get-CertificateFromStore -StoreLocation LocalMachine -StoreName My
#>
function Get-CertificateFromStore
{
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[ValidateSet("CurrentUser", "LocalMachine")]
[string]$StoreLocation,
[Parameter(Mandatory = $true)]
[ValidateSet("My", "Root", "CA", "TrustedPeople", "TrustedPublisher")]
[string]$StoreName,
[Parameter()]
[string]$SubjectFilter,
[Parameter()]
[datetime]$ExpiringBefore
)
try
{
$Store = New-Object System.Security.Cryptography.X509Certificates.X509Store($StoreName, $StoreLocation)
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
$Certificates = $Store.Certificates
# Apply optional filtering
if ($SubjectFilter)
{
$Certificates = $Certificates | Where-Object { $_.Subject -like "*$SubjectFilter*" }
}
if ($ExpiringBefore)
{
$Certificates = $Certificates | Where-Object { $_.NotAfter -lt $ExpiringBefore }
}
Write-Output $Certificates
}
catch
{
Write-Error "Failed to access certificate store: $($_.Exception.Message)"
}
finally
{
if ($Store)
{
$Store.Close()
}
}
}
Certificate Creation and Export
<#
.SYNOPSIS
Creates a new self-signed certificate.
.DESCRIPTION
Generates a self-signed certificate for testing or development purposes.
.PARAMETER Subject
The subject name for the certificate.
.PARAMETER DnsName
DNS names to include in the certificate.
.PARAMETER ExpirationDate
The expiration date for the certificate.
.EXAMPLE
New-SelfSignedCertificateAdvanced -Subject "CN=TestCert" -DnsName "test.example.com"
#>
function New-SelfSignedCertificateAdvanced
{
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string]$Subject,
[Parameter()]
[string[]]$DnsName,
[Parameter()]
[datetime]$ExpirationDate = (Get-Date).AddYears(1),
[Parameter()]
[ValidateSet("Signature", "KeyExchange")]
[string]$KeyUsage = "KeyExchange",
[Parameter()]
[int]$KeyLength = 2048
)
try
{
$CertificateParameters = @{
Subject = $Subject
NotAfter = $ExpirationDate
KeyUsage = 'DigitalSignature', 'KeyEncipherment'
Type = 'SSLServerAuthentication'
CertStoreLocation = 'Cert:\LocalMachine\My'
KeyLength = $KeyLength
}
if ($DnsName)
{
$CertificateParameters.DnsName = $DnsName
}
$Certificate = New-SelfSignedCertificate @CertificateParameters
Write-Verbose "Certificate created with thumbprint: $($Certificate.Thumbprint)"
Write-Output $Certificate
}
catch
{
Write-Error "Failed to create certificate: $($_.Exception.Message)"
}
}
<#
.SYNOPSIS
Exports a certificate to a file.
.DESCRIPTION
Exports a certificate to a PFX or CER file.
.PARAMETER Certificate
The certificate object to export.
.PARAMETER FilePath
The path where the certificate will be exported.
.PARAMETER Password
The password to secure the PFX file (required for PFX exports).
.PARAMETER IncludePrivateKey
Whether to include the private key in the export (creates PFX).
.EXAMPLE
Export-CertificateToFile -Certificate $cert -FilePath "C:\certs\mycert.pfx" -Password (ConvertTo-SecureString -String "P@ssw0rd" -AsPlainText -Force) -IncludePrivateKey
#>
function Export-CertificateToFile
{
[CmdletBinding()]
param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[System.Security.Cryptography.X509Certificates.X509Certificate2]$Certificate,
[Parameter(Mandatory = $true)]
[string]$FilePath,
[Parameter()]
[securestring]$Password,
[Parameter()]
[switch]$IncludePrivateKey
)
process
{
try
{
$Directory = Split-Path -Path $FilePath -Parent
if (-not (Test-Path -Path $Directory))
{
New-Item -Path $Directory -ItemType Directory -Force | Out-Null
Write-Verbose "Created directory: $Directory"
}
if ($IncludePrivateKey)
{
if (-not $Password)
{
throw "Password is required when exporting with a private key"
}
# Export as PFX
$ExportType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12
$CertBytes = $Certificate.Export($ExportType, $Password)
[System.IO.File]::WriteAllBytes($FilePath, $CertBytes)
Write-Verbose "Certificate with private key exported to: $FilePath"
}
else
{
# Export as CER
$ExportType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert
$CertBytes = $Certificate.Export($ExportType)
[System.IO.File]::WriteAllBytes($FilePath, $CertBytes)
Write-Verbose "Certificate (public part only) exported to: $FilePath"
}
}
catch
{
Write-Error "Failed to export certificate: $($_.Exception.Message)"
}
}
}
Certificate Validation
<#
.SYNOPSIS
Validates certificate properties and chain.
.DESCRIPTION
Performs comprehensive validation of certificate including expiration, chain, and revocation status.
.PARAMETER Certificate
The certificate object to validate.
.PARAMETER CheckRevocation
Whether to check certificate revocation status.
.EXAMPLE
Test-CertificateValidity -Certificate $cert -CheckRevocation
#>
function Test-CertificateValidity
{
[CmdletBinding()]
param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[System.Security.Cryptography.X509Certificates.X509Certificate2]$Certificate,
[Parameter()]
[switch]$CheckRevocation
)
process
{
$ValidationResults = [PSCustomObject]@{
Thumbprint = $Certificate.Thumbprint
Subject = $Certificate.Subject
Issuer = $Certificate.Issuer
IsValid = $true
ExpirationDate = $Certificate.NotAfter
IsExpired = $Certificate.NotAfter -lt (Get-Date)
ChainValid = $false
Issues = @()
}
try
{
# Check expiration
if ($ValidationResults.IsExpired)
{
$ValidationResults.IsValid = $false
$ValidationResults.Issues += "Certificate has expired on $($Certificate.NotAfter.ToString('yyyy-MM-dd'))"
}
# Check if certificate is not yet valid
if ($Certificate.NotBefore -gt (Get-Date))
{
$ValidationResults.IsValid = $false
$ValidationResults.Issues += "Certificate is not yet valid (valid from $($Certificate.NotBefore.ToString('yyyy-MM-dd')))"
}
# Validate certificate chain
$Chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
if ($CheckRevocation)
{
$Chain.ChainPolicy.RevocationMode = [System.Security.Cryptography.X509Certificates.X509RevocationMode]::Online
$Chain.ChainPolicy.RevocationFlag = [System.Security.Cryptography.X509Certificates.X509RevocationFlag]::EntireChain
}
else
{
$Chain.ChainPolicy.RevocationMode = [System.Security.Cryptography.X509Certificates.X509RevocationMode]::NoCheck
}
$ValidationResults.ChainValid = $Chain.Build($Certificate)
if (-not $ValidationResults.ChainValid)
{
$ValidationResults.IsValid = $false
foreach ($Status in $Chain.ChainStatus)
{
$ValidationResults.Issues += "$($Status.Status): $($Status.StatusInformation.Trim())"
}
}
Write-Output $ValidationResults
}
catch
{
Write-Error "Certificate validation failed: $($_.Exception.Message)"
}
finally
{
if ($Chain)
{
$Chain.Dispose()
}
}
}
}
Troubleshooting
Common Certificate Issues
Name Mismatch Errors
- Symptom: "Certificate name does not match website" errors
- Cause: The certificate's subject or SANs don't match the accessed domain
- Solution: Ensure the domain name is included in the certificate's Subject Alternative Name (SAN) field
Certificate Chain Problems
- Symptom: "Certificate not trusted" or "Unable to verify the first certificate"
- Cause: Missing intermediate certificates in the server configuration
- Solution: Install the complete certificate chain including intermediate certificates
Certificate Expiration
- Symptom: "Certificate has expired" warnings
- Cause: The certificate's validity period has ended
- Solution: Renew the certificate and implement monitoring to prevent future expirations
Revocation Check Failures
- Symptom: Slow connections or "Revocation information unavailable" warnings
- Cause: CRL or OCSP endpoints unreachable or misconfigured
- Solution: Ensure CRL distribution points and OCSP responders are accessible
Private Key Issues
- Symptom: "Private key does not match" or service fails to start
- Cause: Missing, corrupted, or permission issues with private key
- Solution: Check key permissions, restore from backup, or regenerate certificate
Diagnostic Approaches
Certificate Inspection Tools
- OpenSSL:
openssl x509 -in certificate.crt -text -noout - Windows Certificate Manager:
certmgr.mscorcertlm.msc - PowerShell:
Get-PfxCertificate -FilePath cert.pfx - Online Validators: SSL Labs Server Test or Certificate Decoder
SSL/TLS Connection Testing
# Test SSL/TLS handshake and certificate chain
openssl s_client -connect example.com:443 -servername example.com
# Verify certificate expiration
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
# Check certificate chain verification
openssl verify -CAfile chain.pem certificate.crt
Certificate Chain Validation
# Check certificate chain in PowerShell
$Cert = Get-Item -Path Cert:\LocalMachine\My\<thumbprint>
$Chain = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Chain
$Chain.ChainPolicy.RevocationMode = "Online"
$Result = $Chain.Build($Cert)
# Show chain status if validation fails
if (-not $Result) {
$Chain.ChainStatus | Format-Table Status, StatusInformation
}
Best Practices
Security Considerations
Use Modern Cryptographic Standards
- RSA key length ≥ 2048 bits (preferably 4096 bits)
- Use ECC (Elliptic Curve Cryptography) where supported
- Prefer SHA-256 or stronger for signatures
- Avoid deprecated algorithms (MD5, SHA-1, RC4, etc.)
Private Key Protection
- Store private keys securely using hardware security modules (HSMs) when possible
- Implement proper access controls for key storage
- Consider key ceremony procedures for critical certificates
- Backup private keys securely with encryption
Certificate Constraints
- Use name constraints for internal CAs to limit scope
- Apply appropriate key usage extensions
- Implement basic constraints (CA vs. end-entity)
- Define appropriate extended key usage values
Monitoring and Audit
- Implement automated expiration monitoring with alerts
- Conduct regular certificate inventory audits
- Log certificate issuance, renewal, and revocation events
- Perform periodic security assessments of PKI infrastructure
Operational Excellence
Certificate Inventory Management
- Maintain a centralized certificate inventory
- Record certificate metadata (owner, purpose, expiration, etc.)
- Map certificate dependencies to applications
- Document renewal procedures for each certificate
Renewal Processes
- Establish automated renewal processes where possible
- Define renewal thresholds (typically 30-60 days before expiration)
- Test certificate renewals in non-production environments
- Implement certificate lifecycle automation tools
Documentation Standards
- Create certificate management runbooks
- Document CA hierarchies and trust relationships
- Maintain certificate request procedures
- Define certificate emergency recovery procedures
Advanced PKI Management
Certificate Transparency (CT)
- Monitor CT logs for unauthorized certificate issuance
- Submit certificates to CT logs for public verification
- Implement Expect-CT headers for websites
Certificate Authority Authorization (CAA)
- Configure DNS CAA records to restrict certificate issuance
- Regularly audit CAA record compliance
- Include all authorized CAs in CAA records
Certificate Pinning
- Implement HTTP Public Key Pinning (HPKP) or certificate pinning in applications
- Define backup certificates in pinning configuration
- Test pinning implementations thoroughly before deployment
Key Certificate Management Tools
Command-Line Tools
- OpenSSL: Comprehensive cryptography toolkit
- certutil: Windows built-in certificate utility
- keytool: Java keystore management tool
- PowerShell PKI module: Advanced certificate management in Windows
Web Server Integrations
- IIS Certificate Manager: Windows IIS certificate management
- Let's Encrypt Certbot: Automated certificate management for ACME protocol
- Apache mod_ssl: Apache HTTP server SSL module
- Nginx SSL: Nginx web server SSL configuration
Enterprise PKI Solutions
- Microsoft Active Directory Certificate Services (ADCS)
- HashiCorp Vault PKI: Secret and certificate management
- EJBCA: Enterprise Java Beans Certificate Authority
- Smallstep Certificate Manager: Automated certificate management