| π Back to Exam Syllabus | πΊ RooCloud on YouTube | π RooCloud Practice Exams |
Public Key Infrastructure
This episode of the ISACA Certified Information Systems Auditor (CISA) exam prep series introduces public key infrastructure (PKI) β the trust engine that underpins secure digital communication. The episode covers how PKI is structured, how certificates are issued and managed, and what an auditor must examine to verify that this critical trust system is well-founded and well-maintained.
What this episode covers
- Public Key Infrastructure (PKI) β the policies, hardware, software, and people that vouch for who owns which public key.
- Certificate Authority and supporting roles β how a certificate authority issues and signs certificates, with the registration authority, certificate policy, and certificate practice statement working alongside it.
- Digital certificates β what they contain, how they bind a public key to its owner, and why the CA signature matters.
- Key management life cycle β creation, distribution, storage, escrow, rotation, recovery, and destruction of cryptographic keys.
- Certificate revocation β reasons for revoking a certificate early, the difference between revoked and hold status, and how revocation lists and status protocols operate.
- Audit risks in PKI β outdated protocols, mismanaged certificates, rogue certificates, and the critical danger of a compromised root certificate authority.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What is public key infrastructure and what are its main components?
Public key infrastructure (PKI) is a system of policies, hardware, software, and people that distributes public keys by wrapping them inside digital certificates. Its core components include the certificate authority that issues and signs certificates, a registration authority that handles identity verification, a certificate practice statement that describes how certificates are issued, and a certificate revocation list of invalidated certificates.
What does a digital certificate contain and who issues it?
A digital certificate binds a public key to its owner and is issued and digitally signed by a certificate authority. That signature is what proves the key belongs to the right entity. The certificate policy defines the actors, roles, and rules governing how certificates are created and managed.
How are cryptographic keys managed across their life cycle?
Key management follows a defined life cycle covering creation, secure distribution, protected storage (sometimes under dual custody or escrow), rotation to retire old keys, recovery and backup against loss, and finally destruction at end of life. Key management is more complex with symmetric encryption but simpler with asymmetric approaches.
What is certificate revocation and how is it communicated?
Certificate revocation ends a certificateβs validity before its expiry date, due to reasons such as a compromised private key, an affiliation change, or a decommissioned server. Revoked certificates are published on a certificate revocation list that browsers check before trusting a certificate. A faster alternative is a status protocol that lets a client query one certificate instantly; OCSP stapling further improves performance by having the web server attach the response itself.
π Master the ISACA CISA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA CISA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in Public Key Infrastructure.