1
00:00:01,240 --> 00:00:07,570
What is the lifecycle of a certificate how do we receive a certificate.

2
00:00:07,580 --> 00:00:15,160
First we have to submit an appropriate request to the certification center that handles us the certification

3
00:00:15,160 --> 00:00:21,920
authority should verify us how precise the verification will be depends on what type of certificate

4
00:00:21,950 --> 00:00:30,070
we expect some certificates such as those that have a short period of validity and allow only EFH system

5
00:00:30,070 --> 00:00:38,070
encryption or not especially sensitive that can be issued without the need to personally apply for them.

6
00:00:39,620 --> 00:00:45,590
Other certificates for example a certificate enabling the recovery of encrypted files using FS by other

7
00:00:45,590 --> 00:00:48,190
users are much more sensitive.

8
00:00:49,860 --> 00:00:53,210
We should not issue it to someone who has not applied for it personally.

9
00:00:55,660 --> 00:01:01,460
Then the certificate is delivered to the computer the user or the service.

10
00:01:01,550 --> 00:01:07,590
We have seen that we have three certificates stores the service store is really user store for which

11
00:01:07,590 --> 00:01:09,150
a given service operates

12
00:01:12,490 --> 00:01:13,200
from this moment.

13
00:01:13,210 --> 00:01:18,610
If the applications are compatible with the public key infrastructure such a certificate may be used

14
00:01:20,350 --> 00:01:27,000
a good example is the browser we don't install anything on it we don't configure anything.

15
00:01:27,110 --> 00:01:27,970
And it works

16
00:01:30,700 --> 00:01:34,060
after some time the certificate expires or it's revoked.

17
00:01:35,120 --> 00:01:38,890
Applications check before using the certificate if it's still valid.

18
00:01:39,170 --> 00:01:47,020
If not they block the use of the certificate if the validity of the certificate has expired.

19
00:01:47,020 --> 00:01:53,780
We can ask for its renewal if we still have the right to use a given certificate.

20
00:01:53,790 --> 00:02:00,380
It will automatically be issued to us.

21
00:02:00,430 --> 00:02:04,390
We mentioned that applications verify whether the certificate is valid.

22
00:02:04,390 --> 00:02:09,160
What does this mean.

23
00:02:09,200 --> 00:02:14,930
First the certificate is valid if it's been issued by a trusted certification authority either directly

24
00:02:14,960 --> 00:02:17,430
or through a subordinate authority whom we trust.

25
00:02:20,440 --> 00:02:26,200
Second we must check whether the certification authority is trusted meaning it's included in the hierarchy

26
00:02:26,200 --> 00:02:27,260
of trust.

27
00:02:27,340 --> 00:02:30,050
If there is no gap in the series of certificates.

28
00:02:30,460 --> 00:02:33,200
Third the certificate itself must be correct.

29
00:02:36,240 --> 00:02:39,020
Now let's look at the technical side.

30
00:02:39,100 --> 00:02:43,470
What is the generated data look like which is later recorded in the certificate.

31
00:02:45,220 --> 00:02:52,550
To start with submit a certificate request then we generate a key pair the private key and the public

32
00:02:52,550 --> 00:02:54,010
key.

33
00:02:54,190 --> 00:03:00,780
If the operating system generates two keys we use Microsoft's cryptographic service provider the private

34
00:03:00,780 --> 00:03:02,680
key goes to the user's profile.

35
00:03:04,200 --> 00:03:11,580
It saved and protected by the Data Protection API if were used external devices for example a smart

36
00:03:11,580 --> 00:03:18,230
card that generates the private key and does not make it available to the outside it safely say is it

37
00:03:20,480 --> 00:03:25,130
to ensure to the certification authority that it's really us who are in fact submitting a certificate

38
00:03:25,130 --> 00:03:31,310
request we're digitally sign the certificate request then we send the request together with the public

39
00:03:31,310 --> 00:03:33,530
key to the certification authority.

40
00:03:35,640 --> 00:03:39,660
The certification authority should verify our request.

41
00:03:39,710 --> 00:03:46,720
It can be processed automatically Microsoft Certification systems process many such requests automatically

42
00:03:48,080 --> 00:03:54,230
if the user has the appropriate privileges in the domain such as the right to issue certificates he

43
00:03:54,230 --> 00:03:58,480
automatically receives the certificate.

44
00:03:58,500 --> 00:04:04,230
However sometimes a request must be approved manually the certificate manager will review the request

45
00:04:04,290 --> 00:04:11,600
and will process it positively or negatively if positive certificate returns to us.

46
00:04:11,820 --> 00:04:19,580
From now on we can use it.

47
00:04:19,830 --> 00:04:24,480
How can we submit a request to issue a certificate.

48
00:04:24,580 --> 00:04:31,100
This can be done in several ways by using the certificates so that we saw by clicking the right mouse

49
00:04:31,100 --> 00:04:37,710
button on the personal store there will be an option submit new certificate request.

50
00:04:37,720 --> 00:04:43,560
This only works if we're an Active Directory client then this certificate of counsel knows the types

51
00:04:43,560 --> 00:04:50,490
of certificates we can request and from whom therefore it completes all the required fields for us.

52
00:04:53,250 --> 00:04:57,930
We can also connect to the certification authority through the website.

53
00:04:57,950 --> 00:05:01,620
This can also happen automatically.

54
00:05:01,770 --> 00:05:04,720
We perform a certain operation that requires a certificate.

55
00:05:04,860 --> 00:05:08,510
And if we don't have it we send a request which is processed.

56
00:05:08,520 --> 00:05:12,150
We receive the certificate and complete the entire operation.

57
00:05:14,920 --> 00:05:17,840
How do we verify that x 5 0 9 certificate.

58
00:05:18,970 --> 00:05:22,850
We've already said that we must have a valid signature and they cannot be expired.

59
00:05:23,880 --> 00:05:31,450
This however only applies to user certificates not authorities.

60
00:05:31,450 --> 00:05:41,480
We also need to check whether the certificate has not been revoked and is used as intended.

61
00:05:41,510 --> 00:05:45,430
We've already mentioned route certification authorities.

62
00:05:45,550 --> 00:05:51,630
We had the opportunity to see a long list of certificates that we trust automatically.

63
00:05:51,690 --> 00:05:57,000
We also mentioned that the certification of the root certification authority is unique because it's

64
00:05:57,000 --> 00:06:02,920
issued to itself.

65
00:06:03,080 --> 00:06:10,580
We already know where the relationship of trust comes from for all computers that were use on the Internet.

66
00:06:10,580 --> 00:06:15,740
Now let's consider whether or not it's worth implementing our own public key infrastructure or if it

67
00:06:15,740 --> 00:06:20,020
would be sufficient enough to buy certificates from companies such as Verisign or thought.