Certificates / Encryption keys

4.3 Given a scenario, apply network security features, defense techniques, and solutions

Key Management

📘CompTIA Network+ (N10-009)

1. What is Key Management?

Key management refers to the processes, tools, and rules used to create, store, distribute, protect, update, and remove cryptographic keys.
These keys are essential for encryption, authentication, digital signatures, and secure communication.

If keys are not managed properly, encryption becomes useless — attackers could decrypt sensitive data or impersonate systems.

2. What Are Encryption Keys?

Encryption keys are special values made of random characters.
They are used by cryptographic algorithms to:

  • Encrypt data (turn readable data into unreadable form)
  • Decrypt data (turn unreadable data back to normal)
  • Sign data to prove authenticity
  • Verify digital signatures

Types of Encryption Keys Used in Networking

A. Symmetric Keys

  • The same key is used for both encryption and decryption.
  • Very fast.
  • Used in technologies like WPA2/WPA3, VPN tunnels, file encryption, etc.

Main challenge: Securely sharing the key between devices.

Examples:

  • AES (Advanced Encryption Standard) keys

B. Asymmetric Keys (Public/Private Key Pair)

  • Uses two different keys:
    • Public key → shared with anyone
    • Private key → kept secret
  • Anything encrypted with one key can only be decrypted with the other.

Used in:

  • HTTPS / SSL/TLS
  • Email encryption
  • Digital signatures
  • Certificate-based authentication (e.g., 802.1X)

Examples:

  • RSA
  • ECC (Elliptic Curve Cryptography)

3. What Are Certificates?

A certificate is a digital file that contains a public key and identity information.
It is issued and digitally signed by a Certificate Authority (CA).

Certificates are used to prove identity and establish trust between devices.

For example:

  • Servers use certificates during HTTPS.
  • Devices use certificates for secure Wi-Fi (e.g., 802.1X).
  • VPNs use certificates to authenticate clients.

A certificate includes:

  • Public key
  • Owner information (server name, device name, organization)
  • Expiration date
  • Issuing CA (Certificate Authority)
  • Digital signature from CA
  • Serial number
  • Certificate purpose (e.g., server authentication, code signing)

4. Public Key Infrastructure (PKI)

Certificates and keys are part of a bigger system called PKI.

PKI provides:

  • Key creation
  • Certificate issuance
  • Certificate validation
  • Certificate renewal
  • Certificate revocation

Key PKI components:

  1. Certificate Authority (CA) – Issues and signs certificates
  2. Registration Authority (RA) – Verifies identity before certificates are issued
  3. Certificate Database – Stores issued certificates
  4. Certificate Templates – Predefined certificate types
  5. Certificate Revocation List (CRL) – List of invalid or revoked certificates
  6. OCSP (Online Certificate Status Protocol) – Real-time certificate validation

5. Key Lifecycle (Exam-Important)

The lifecycle of encryption keys includes:

1. Key Generation

Keys are created using secure algorithms such as AES, RSA, or ECC.

2. Key Distribution

Securely sending keys to devices:

  • Symmetric keys → shared using secure channels (e.g., TLS handshake).
  • Public keys → openly shared.
  • Private keys → never shared.

3. Key Storage

Keys must be stored securely to prevent theft.
Examples:

  • Secure key vaults
  • Hardware Security Modules (HSM)
  • TPM (Trusted Platform Module) on endpoints
  • Strong OS-level encryption

4. Key Usage

Keys are used for:

  • Encrypting data
  • Creating signatures
  • Establishing secure sessions (TLS handshake)

5. Key Rotation (Key Renewal)

Keys must be replaced periodically to reduce risk.

6. Key Revocation

Keys or certificates are revoked when:

  • They are compromised
  • A device is retired
  • A user leaves the company
  • The certificate is replaced

Revocation is managed through:

  • CRL (Certificate Revocation List)
  • OCSP

7. Key Destruction

Old keys must be securely deleted so they cannot be recovered.

6. Certificate Types (You Must Know for the Exam)

A. Root Certificate

  • Highest-level certificate in the PKI hierarchy
  • Stored in the “trusted root” store on devices

B. Intermediate Certificate

  • Issued by the root CA
  • Used to sign other certificates
  • Adds security by protecting the root CA

C. Server Certificate

  • Used by web servers for HTTPS

D. Client Certificate

  • Used for client authentication
  • Common in 802.1X and VPN solutions

E. Code Signing Certificate

  • Used to sign software to prove it is legitimate

F. Email Certificate (S/MIME)

  • Used for email signing and encryption

7. Certificate Formats (File Extensions)

You must know these for the exam:

FormatDescription
.pemBase64 encoded certificate
.crtPublic certificate file
.keyPrivate key
.pfx / .p12Contains both certificate + private key (password protected)
.cerPublic certificate (Windows)

8. Certificate Validation Methods

A. CRL (Certificate Revocation List)

  • A list of revoked certificates
  • Downloaded by clients

B. OCSP (Online Certificate Status Protocol)

  • Real-time certificate validation
  • Faster and more efficient than CRL

Network+ expects you to know when each is used and how they work.

9. Common Certificate/Key Management Problems

Network+ wants you to identify common issues:

– Expired certificates

Causes authentication failures, HTTPS errors.

– Misconfigured trust chain

Occurs when root or intermediate certificates are missing.

– Private key exposure

If someone steals a private key, communication is no longer secure.

– Weak encryption

Using outdated algorithms like:

  • MD5
  • SHA-1
  • 1024-bit RSA

– Incorrect certificate usage

Using a server certificate for a client device causes authentication failures.

10. How Certificates & Keys Improve Network Security

Certificates and encryption keys help secure:

  • HTTPS / SSL/TLS traffic
  • VPN connections
  • Wireless connections (WPA2-Enterprise / WPA3-Enterprise)
  • Server authentication
  • User authentication (certificate-based login)
  • Email security

They ensure:

  • Confidentiality – Data is encrypted
  • Integrity – Data cannot be modified
  • Authentication – They confirm identity
  • Non-repudiation – Users cannot deny actions

11. What the Exam Is Likely to Ask

Be prepared for questions on:

✔ How certificates are issued and validated
✔ Key lifecycle steps
✔ Difference between symmetric and asymmetric encryption
✔ What CA, RA, CRL, and OCSP do
✔ Types of certificates (server, client, root, intermediate)
✔ File formats (.pem, .pfx, .cer)
✔ What happens when certificates expire
✔ Weak encryption algorithms
✔ How to properly secure private keys
✔ Certificate-based authentication (e.g., 802.1X)

Summary

Certificates and encryption keys are essential for secure network communication.
Network+ expects you to understand:

  • How keys and certificates work
  • How PKI manages trust
  • Certificate types and formats
  • Key lifecycle
  • Common issues and troubleshooting

With this knowledge, you will be able to answer any exam question related to Key Management → Certificates / Encryption Keys.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by