Vulnarex | Elite Cybersecurity Learning Platform

#The Foundation of Trust#link

Almost every protocol we've studied (TLS, SAML, WPA3-Enterprise, SSH) relies on Public Key Infrastructure (PKI). PKI is the system of certificates and authorities that allows us to trust that a public key actually belongs to the entity claiming it.

The Chain of Trust: Root, Intermediate, and Leaf

A certificate isn't just a key; it's a signed statement. The 'Root CA' is the ultimate authority. To protect the Root, enterprises use 'Intermediate CAs' to sign the actual 'Leaf' certificates used by servers.

callout

If the Root CA is compromised, every certificate in the entire organization is invalidated instantly. This is why Root CAs are kept 'Offline' in hardware security modules (HSMs).

CA Level	Storage	Purpose	Lifespan
Root CA	Offline / HSM	Signs Intermediates	10-20 Years
Intermediate CA	Online / Secure	Signs Leaf Certificates	2-5 Years
Leaf Certificate	Server/Device	Secure Traffic (TLS/SAML)	90 Days - 1 Year

When a browser visits a site, it doesn't just check the site's certificate. It follows the chain upward until it finds a Root CA it already trusts in its local 'Root Store'.

Modern Automation: Let's Encrypt and ACME

info

💡 Manual certificate management is the leading cause of 'Outage by Expiration.' The ACME protocol (used by Let's Encrypt) automates issuance and renewal.

Requesting a Cert via Certbot (ACME)

root@vulnarex:~#certbot certonly --standalone -d example.com

Certbot automates the 'Challenge-Response' process, proving the requester owns the domain and issuing a short-lived certificate (90 days), which reduces the impact of a key leak.

Secrets Management with HashiCorp Vault

STRICT SECURE AUDIT RULE

Storing certificates in plaintext on a disk is a critical vulnerability. Modern enterprises use 'Vaults' to generate dynamic, short-lived certificates on the fly.

bash

# Generating a dynamic cert from Vault
vault write pki_int/issue/my-role 
  common_name="web-server-01.internal" 
  ttl="24h"

Vault allows 'Just-in-Time' (JIT) certificates. Instead of a 1-year cert, the server gets a 24-hour cert. If a server is hacked, the stolen cert expires in hours, not months.

▪Use short-lived certificates (90 days or less)
▪Automate renewals via ACME or Vault
▪Store Root keys in offline HSMs
▪Implement Certificate Transparency (CT) monitoring

STRICT SECURE AUDIT RULE

Avoid 'Self-Signed' certificates in production. They encourage users to ignore browser warnings, making the organization vulnerable to MitM attacks.

quiz BLOCK (★ 50 XP)

Why are Root CA keys kept 'Offline' in an HSM (Hardware Security Module)?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

The Expiration Crisis