WEBVTT

00:00.210 --> 00:06.900
If you want to wrap your mind around digital certificates you have got to get really groovy with public

00:06.900 --> 00:09.180
key infrastructure or TKI.

00:09.180 --> 00:14.820
Now if you're watching this series by episode in the previous episode I said that P.K. I was a trust

00:14.820 --> 00:16.760
model and that's absolutely true.

00:16.890 --> 00:20.030
But TKI is much much more than that.

00:20.040 --> 00:23.750
Think about what it stands for public key infrastructure.

00:23.880 --> 00:31.800
TKI is the infrastructure that we use for just about every real world application that uses public keys

00:32.100 --> 00:33.700
which is really digital certificate.

00:33.700 --> 00:36.570
So I wish they didn't call it public key infrastructure.

00:36.570 --> 00:41.130
I wish they called a digital certificate public infrastructure but I'm not in charge of the universe.

00:41.130 --> 00:42.300
So we call it TKI.

00:42.300 --> 00:49.560
So what I want to do first in this episode is review the idea of P.K. as the trust model and we're going

00:49.560 --> 00:52.820
to build from that so what I got here is a bunch of different servers.

00:52.860 --> 00:55.440
These are Web servers that need certificates.

00:55.440 --> 01:01.590
Here's an email that needs certificates here could be a wireless system that uses certificates the wireless

01:01.590 --> 01:06.790
networks use certificates as well so there's all kinds of stuff out there that need certificates and

01:06.840 --> 01:11.670
not only do they need certificates but they need to be able to get a certificate a good trusted certificate

01:11.700 --> 01:13.470
when they want it.

01:13.590 --> 01:17.520
They need to trust other people's certificate so if this guy doesn't pay their bill or if they decide

01:17.520 --> 01:22.080
to become evil we need a mechanism that says oh that certificate is no good anymore.

01:22.230 --> 01:31.230
So P.K. is not just about trust Piquet is about distribution it's about control maintenance relocation.

01:31.320 --> 01:34.020
All of this stuff when it comes to digital certificates.

01:34.020 --> 01:34.160
Right.

01:34.170 --> 01:36.630
So let's start off with this.

01:36.630 --> 01:43.380
So what I have here is a peek at my model so up at the top is a certificate authority no certificate

01:43.380 --> 01:45.150
authority is an organization.

01:45.150 --> 01:53.130
So like Verizon thought OK so go daddy there's a billion of them out there and they will have what we

01:53.130 --> 01:56.610
call a root certificate at the very very top of their structure.

01:56.730 --> 02:04.410
So at the top of this structure is some kind of computer storing in here or is one literally one root

02:04.410 --> 02:04.970
certificate.

02:04.970 --> 02:10.320
It's not even signed because who's going to sign it it's their sign and they're the king Anyway this

02:10.320 --> 02:19.250
particular system right here goes ahead and distributes certificates to intermediate systems.

02:19.250 --> 02:22.540
See you don't want this computer messed with it.

02:22.680 --> 02:28.770
It is public access but we don't want people to get to it because this is like the holy certificate

02:28.770 --> 02:33.270
of Antioch here and if this thing gets messed up or corrupted or anything the entire infrastructure

02:33.600 --> 02:35.970
of piquet messes up at least for Versailles.

02:36.060 --> 02:40.710
So this tends not to be a system that's queried or access very often.

02:40.710 --> 02:47.130
Instead we have all of these intermediate certificate authorities that are being trusted by the route

02:47.220 --> 02:54.040
authority and then these guys in and of themselves will create trusts to all these different guys here.

02:54.210 --> 03:00.660
So if this guy right here wants a certificate and we're going to use a sign we're going to go online

03:00.660 --> 03:05.700
to sign and we can do actually handle all of this online we can hand them our public key and all that

03:05.700 --> 03:13.800
stuff online take care of all that and it gets entered in to a situation where it trusts one of these

03:14.100 --> 03:14.860
get the idea.

03:15.000 --> 03:20.970
So really what happens is you'll have a certificate that isn't necessarily trusted by him but it's trusted

03:20.970 --> 03:25.320
by one of his or media who is then trusted by this and then you create what's known as a Certification

03:25.320 --> 03:26.310
Path.

03:26.310 --> 03:32.880
This path is really important because this is the entire maintenance and control structure for any given

03:32.880 --> 03:33.890
type of piquet.

03:33.900 --> 03:39.390
Now we've got to be careful with P.K. because first of all P.K. is not a standard.

03:39.420 --> 03:43.920
There is no standard at all out there that says this is how you'll do it.

03:44.100 --> 03:50.970
Well we do have is one particular standard PKC which was invented by the RSA Corporation back in the

03:50.970 --> 03:57.900
early 90s and PKC which is not a standard it's just the way RSA does it has become the de facto standard

03:58.110 --> 04:04.020
for a lot of piquet systems out there so pretty much if you want to do picquet in the real world you're

04:04.020 --> 04:05.820
going to have to follow PKC Yes.

04:05.830 --> 04:11.940
Now the other thing I want to add to this is that all API is based on a very very old standard called

04:12.030 --> 04:19.050
X-Com 5 0 9 X-type 5 0 9 is really nothing more than a standard that says if I'm far away and I want

04:19.050 --> 04:23.600
to query a database at another place far away how do I go about it.

04:23.700 --> 04:30.480
How do we distribute how do we store information how do we organize stuff in hierarchies so that we

04:30.480 --> 04:32.290
can access data on a timely basis.

04:32.310 --> 04:36.900
It's not 5 0 9 in and of itself isn't even really used anymore.

04:36.900 --> 04:42.430
But the way we queery and talk and do all this stuff is a cornerstone to X-Com 5 0 9.

04:42.450 --> 04:49.300
Now this all sounds great but what I want to do right now is I want to dive in I've got a little laptop

04:49.300 --> 04:52.350
here just a generic laptop and it's got some certificates on it.

04:52.630 --> 04:57.880
Let's go ahead and take a moment and take a look at some certificates and understand how they tie in

04:58.240 --> 05:05.320
how they work and how they try to pick and see is the best place to find certificates is usually through

05:05.320 --> 05:06.320
a web browser.

05:06.430 --> 05:12.430
Now what's interesting is that there is no complete standard that says where are you going to store

05:12.430 --> 05:14.230
certificates on a computer.

05:14.560 --> 05:19.540
But the Web people because they have so much e-commerce have done a pretty good job of standardizing

05:19.810 --> 05:24.500
where things are stored so you could open up any web browser doesn't matter which web browser use.

05:24.700 --> 05:31.030
In this case I'm using Chrome and you can access your certificates where they go.

05:31.210 --> 05:32.000
There it is.

05:32.020 --> 05:37.520
So in Chrome I went to settings advanced I just hit manage certificates today.

05:37.570 --> 05:44.530
OK so here are certificates and yes you can actually get to this from your control panel in Windows

05:44.530 --> 05:45.330
as well.

05:45.700 --> 05:51.250
All right so anyway what I want to do the certificates that you're looking at here mainly are you see

05:51.250 --> 05:55.290
there it says route certificates and then intermediate certificates.

05:55.300 --> 06:00.940
So what you're looking at here are really copies of the route and intermediate certificates that are

06:00.940 --> 06:01.840
copied to your system.

06:01.840 --> 06:03.430
This is just done for speed.

06:03.550 --> 06:09.880
So any time you go to eBay for example you don't actually have to queery the intermediate certificate

06:09.880 --> 06:15.400
authority that you've already got the certificate sitting right here and you can compare his certificate

06:15.670 --> 06:20.920
to the one that comes down from ebay or whatever and you get instantaneous it's good or it's bad.

06:20.920 --> 06:22.110
So anyway.

06:22.150 --> 06:28.370
So here are route certificates Here's our intermediate certificates and then we have personal certificates.

06:28.370 --> 06:30.430
I'm going to save that for a minute.

06:30.500 --> 06:32.450
Let's go ahead and talk about a few things here.

06:32.450 --> 06:35.970
So first of all you'll see we've got three different choices here.

06:36.020 --> 06:39.090
We can have certificates for client authentication.

06:39.200 --> 06:41.250
So this is basically web.

06:41.270 --> 06:45.470
90 percent of the time we have e-mail.

06:45.470 --> 06:51.560
So we have different certificates that are used for email and then we have advanced purposes advanced

06:51.560 --> 06:53.650
purposes actually kind of interesting.

06:53.660 --> 06:57.470
Let me see if I can find a good example so trusted publishers.

06:57.470 --> 07:01.950
So for example I have a very expensive program called Air magnet installed on here.

07:02.060 --> 07:07.010
And every time I run it it actually has a certificate to make sure it's a legitimate copy and all this

07:07.010 --> 07:10.900
kind of stuff and things like some kind of Avery label maker or something like that.

07:10.910 --> 07:12.970
So that's a skip advance purposes.

07:13.060 --> 07:16.170
And for right now let's just go to all.

07:16.240 --> 07:17.530
So we're seeing everybody.

07:17.810 --> 07:23.140
And let's start with a root certificate so I'm just going to pick one arbitrary root certificate here.

07:23.140 --> 07:24.800
Doesn't really matter which one I pick.

07:25.330 --> 07:30.310
And here's a go daddy certificate and let's take a look at this guy.

07:30.400 --> 07:34.420
So I just double clicked it in Windows and I can actually look at the certificate itself.

07:34.420 --> 07:40.480
So basically this is used for authentication primarily for web more than anything else.

07:40.630 --> 07:42.300
And you can see some valid data.

07:42.310 --> 07:47.770
But this first screen is kind of boring so here's where it's interesting is under the details.

07:47.770 --> 07:52.540
So we're going to have different versions there are different versions of certificates based on how

07:52.540 --> 07:56.100
much information you need how much money you're going to spend it makes them more secure.

07:56.290 --> 08:00.220
Some type of internal serial number this is a root certificate so it doesn't really have a serial number

08:00.220 --> 08:02.990
because it is the root.

08:03.190 --> 08:04.120
Here are the algorithms.

08:04.120 --> 08:11.140
Remember what we're doing with these is that we are encrypting some amount of data and then we are then

08:11.140 --> 08:11.710
hashing it.

08:11.710 --> 08:16.840
So it tells us how it's actually being done that tells us who's issuing it.

08:16.840 --> 08:22.990
Now I want you to look here very carefully you see that oh you see that is all X-Com 5 0 9 nomenclature

08:22.990 --> 08:25.230
and it's just the way we organize all this stuff.

08:25.420 --> 08:32.190
There's a valid date valid to here is that some generic subject in here.

08:32.330 --> 08:34.370
Here's the actual public key itself.

08:34.370 --> 08:38.360
So this is the actual public key because remember that's why certificates exist because they pass around

08:38.360 --> 08:39.970
public keys.

08:40.010 --> 08:45.290
The only other thing is particularly interested in here is a thumb print which is kind of like a manufacturer's

08:45.290 --> 08:45.970
serial number.

08:45.970 --> 08:49.130
It's a unique identifier for this particular certificate.

08:49.150 --> 08:52.460
And it can be used for a lot of really important stuff.

08:53.640 --> 08:55.990
Now last thing I want to show you is the Certification Path.

08:56.130 --> 08:59.340
You'll see that this guy is at the absolute top of the Certification Path.

08:59.340 --> 09:01.600
Well he better be because he's a root certificate.

09:01.710 --> 09:05.630
So we don't see any other certificates here but that's about to change.

09:06.870 --> 09:07.060
All right.

09:07.060 --> 09:12.440
So I want to do this again except this time I want to go to an intermediate certificate.

09:12.780 --> 09:16.440
So let's take a look at some intermediate certificate and see if there's a Go Daddy in here.

09:17.310 --> 09:17.790
There is.

09:17.850 --> 09:18.130
OK.

09:18.150 --> 09:23.240
So what I want to do now is go to this guy and let's double click on it.

09:23.490 --> 09:27.510
Now at first glance it's going to look pretty similar but I want to show you there's going to be some

09:27.510 --> 09:28.890
very big differences here.

09:28.890 --> 09:31.340
Notice that the serial number at least has some values in it.

09:31.340 --> 09:36.670
Now but it still has a public key all that same stuff that we saw before.

09:36.740 --> 09:40.900
There's a C R L C R L distribution points we're going to talk about that a little bit later in this

09:40.900 --> 09:41.900
episode.

09:42.370 --> 09:45.400
And so that's the basic guide now in this case.

09:45.490 --> 09:50.320
You'll notice because he's an intermediate authority he actually points to the route authority right

09:50.320 --> 09:55.540
there so the certification path in this particular case you have an intermediate and says that is where

09:55.540 --> 09:58.340
the route comes from.

09:58.350 --> 09:59.040
That was fun.

09:59.070 --> 10:00.220
Let's do it one more time.

10:01.180 --> 10:05.820
At this time what I want to do is I actually have some personal certificates in here.

10:05.850 --> 10:11.850
The reason I have personal certificates is for email I use them for I have a web server built in here

10:11.850 --> 10:16.530
and a lot of other stuff like that so when I want to do is break this down a little bit further and

10:16.530 --> 10:22.690
show you one of my certificates.

10:22.770 --> 10:26.980
OK so first of all you know it says you have a private key that corresponds to the certificate.

10:26.990 --> 10:33.540
Well that's very true because well it's my certificate by golly and this is so I should have that.

10:33.710 --> 10:37.820
And then as we go and here again you'll see most of the same information we saw before.

10:37.850 --> 10:45.690
You'll see that this one ties to an e-mail address as opposed to a website and it actually defines what

10:45.690 --> 10:49.430
type of key it is in all this.

10:49.610 --> 10:53.030
There's that CRL distribution point which is going to be important later.

10:53.130 --> 10:57.390
And now if we take a look at the Certification Path here you'll see that it actually has quite a bit

10:57.390 --> 10:57.990
of path to it.

10:57.990 --> 11:03.600
So that's the route authority and there's two levels of intermediate before we actually get to me on

11:03.600 --> 11:05.240
this particular system.

11:05.570 --> 11:06.570
OK.

11:07.140 --> 11:12.810
So those are the certificates that are in my computer that's great but where do these certificates come

11:12.810 --> 11:13.170
from.

11:13.170 --> 11:17.640
Well most of these come actually from the web browsers themselves.

11:17.700 --> 11:25.250
When you install a web browser it has a whole bunch of certificates already in their root and intermediate

11:25.260 --> 11:31.470
ready to go in fact people fight hard to get Firefox or Internet Explorer or whatever to include their

11:31.470 --> 11:32.590
particular certificate.

11:32.590 --> 11:33.930
So it's a big deal.

11:34.020 --> 11:39.590
Also these certificates these root and intermediate certificates are updated all the time.

11:39.630 --> 11:44.220
I always get terrified when somebody isn't updating their systems because a big part of the had hadn't

11:44.230 --> 11:45.240
certificate update.

11:45.240 --> 11:47.910
So that's where those certificates come from.

11:47.910 --> 11:53.760
And remember the certificates that are on your system for the most part are only there as root and intermediate

11:53.910 --> 11:59.400
so that when you get that e-bay certificate or whatever it is you can do a quick comparison of that

11:59.400 --> 12:04.230
certificate based on the information on the certificates you already have to verify whether it's good.

12:04.230 --> 12:04.890
OK.

12:06.000 --> 12:10.960
But if I'm a web server or if I want to do e-mail where do those certificates come from.

12:11.010 --> 12:15.360
Well first of all it is trivial to get an certificate generation tool.

12:15.360 --> 12:18.820
They come with Windows and with Linux you could always make your own certificate.

12:18.820 --> 12:20.860
Now obviously no one signing it.

12:20.970 --> 12:25.890
So it's a unsigned certificate but you could always make your own very very quickly and if you try to

12:25.890 --> 12:31.250
plug that into a web server or send an e-mail it's going to be a big sign pops up saying whew.

12:31.350 --> 12:32.500
This is an unsigned certificate.

12:32.500 --> 12:33.270
Do you want to continue.

12:33.270 --> 12:33.530
Yes.

12:33.540 --> 12:34.060
No.

12:34.260 --> 12:41.340
So if you want a signed certificate you go online to sign Comodo Wattie whoever's out there and you

12:41.430 --> 12:43.440
usually have to buy these things.

12:43.440 --> 12:49.170
So you go online and you set some stuff up in there and you hand them your public key and other information

12:49.440 --> 12:56.520
you hand that all to then you hit enter and then hand him a credit card usually and then you get a certificate

12:56.610 --> 13:00.750
the certificates in the old days used to come through the mail and you'd actually have to import them

13:00.750 --> 13:05.820
into your computer today for the most part what you do is it will say your certificates ready and you

13:05.820 --> 13:11.490
go to Web site and you click on something and literally through the connection your new certificate

13:11.520 --> 13:15.930
is brought into your web server or your email client whatever it might be.

13:15.930 --> 13:23.100
The challenge we have here is that certificates don't have a standardized format like Word documents

13:23.100 --> 13:24.830
or Excel spreadsheets.

13:24.840 --> 13:29.860
What we do have is the PKC s numbers.

13:29.880 --> 13:34.620
So what we want to do right now is I'm going to go back into the system and let's do a little exporting

13:34.650 --> 13:38.230
and take a look at PKC Yes.

13:38.390 --> 13:43.630
OK so what I've got here is what back in and taking a look at my certificates now.

13:43.760 --> 13:49.610
In this particular case I'm actually showing you my personal certificates that I went ahead and downloaded

13:49.610 --> 13:52.550
these I went to Comodo and got these certificates.

13:52.550 --> 13:56.180
Now what I want to show you is how we can export a certificate.

13:56.180 --> 14:01.520
So in this case I'm going to just pick one of these arbitrarily and I'm going to hit export and Windows

14:01.520 --> 14:03.600
comes with this nice little wizard.

14:03.620 --> 14:09.260
Now here's the first big question it asks Do I want to export the private key or not because remember

14:09.470 --> 14:15.500
a certificate by definition does not have the private key so I'm going to say no do not export the private

14:15.500 --> 14:16.010
key.

14:16.070 --> 14:20.360
Now it's given me some options as to how I want to export it.

14:20.360 --> 14:26.180
Now some of these versions up here are used for more specific versions but in general we're going to

14:26.180 --> 14:32.530
go to PKC as Number 7 so this is a PKC s 7.

14:32.690 --> 14:37.460
And if there are other certificates in the certification path I can add those here as well if I want

14:37.460 --> 14:38.020
to.

14:38.330 --> 14:38.600
All right.

14:38.600 --> 14:43.950
So remember the goal here is that we're going to export this to a file I'm going to call it Fred.

14:43.950 --> 14:45.600
And I believe it's pointed to my desktop.

14:45.600 --> 14:46.710
Let's see what happens.

14:47.740 --> 14:48.850
Yeah yeah yeah.

14:50.060 --> 14:51.390
Export was successful.

14:51.500 --> 14:52.130
Outstanding.

14:52.130 --> 14:56.360
All right so you can see that I now have exported this certificate.

14:56.360 --> 14:59.120
This is not something you need to do very often.

14:59.120 --> 15:01.420
It's a rare situation where you need to export.

15:01.520 --> 15:02.690
It is done for backup.

15:02.690 --> 15:04.510
We see people do it for that reason.

15:04.700 --> 15:09.800
And back in the old days if you wanted to move to a new system or something like that you could do a

15:09.800 --> 15:11.130
manual export as well.

15:11.150 --> 15:19.270
And if you see we can click on it and actually look at the certificate itself just like we saw before.

15:19.650 --> 15:21.160
So I can put that on a thumb drive.

15:21.170 --> 15:22.320
Do anything I want.

15:22.680 --> 15:25.270
So what I want to do now is I'm going to export it again.

15:26.150 --> 15:28.010
Except this time I'm going to do a little bit differently.

15:29.120 --> 15:32.290
This time we're going to say yes export the private key.

15:32.360 --> 15:37.880
Remember the private key is precious and it's something that should be secured under a password and

15:37.880 --> 15:39.350
encrypted and all that.

15:39.380 --> 15:41.810
And believe me that's going to happen.

15:41.810 --> 15:47.930
So you'll see that when we export the certificate as well as the corresponding private key.

15:47.990 --> 15:49.850
So it's really two things we're exporting.

15:49.850 --> 15:52.450
It says PKC 12.

15:52.460 --> 15:56.620
So make sure you know PKC is 12 is really more than just a certificate.

15:56.690 --> 15:57.640
Delete the private key.

15:57.650 --> 16:02.690
The export is successful if we were actually moving this to a new system we would want to do that extended

16:02.690 --> 16:06.140
properties is just extra stuff I'm going to skip that for right now.

16:06.140 --> 16:11.210
Now look what it's asking me to do right here it's asking me to punch in a password because we don't

16:11.210 --> 16:16.820
want this thing to be casually laying on my desktop where anybody can grab my private key so we're going

16:16.820 --> 16:21.650
to go ahead and hit next and we've got to give it another name I'm going to call it timmy

16:26.880 --> 16:28.430
and the export was successful.

16:28.470 --> 16:30.400
So let me close this and let's take a look.

16:30.420 --> 16:35.900
In this case first of all you see the icons totally different it has a affects a file extension.

16:36.030 --> 16:41.810
And if I double click this I can't really just look at it because it's a package and what is going to

16:41.810 --> 16:44.900
try to do is actually import it into my system.

16:44.900 --> 16:51.380
I don't want to do that because it's already in there but it's important that you remember PKC A7 is

16:51.440 --> 16:58.130
a way that we store certificates as individual files PKC as 12 is not only the certificate but also

16:58.130 --> 17:04.640
the private key and it's actually a package OK so let's go ahead and take one more quick look at the

17:04.640 --> 17:12.050
certificate through here and I have to go through all this because I said do the entire Certification

17:12.050 --> 17:12.830
Path.

17:12.830 --> 17:14.330
Now I want to go back into details

17:17.430 --> 17:23.670
and let's take a look at this right here CRL distribution points and you'll notice that that is a path

17:24.180 --> 17:26.500
CRL is something very important.

17:26.670 --> 17:32.600
Let's talk about that CRL stands for Certificate revocation list.

17:32.740 --> 17:38.520
The CRL what you notice is a path is a really really important part of our whole Piquet system.

17:38.550 --> 17:44.700
You see the challenge that we have here is that your computer is counting on certificates that are actually

17:44.700 --> 17:46.850
already stored locally on your system.

17:47.010 --> 17:53.010
And because of the nature of hashing and encryption and all that it's hard they're pretty trustworthy

17:53.190 --> 17:55.200
but things can happen.

17:55.440 --> 18:00.840
What if Verizon went out of business oh I don't even think about that or what if Comodo got captured

18:00.840 --> 18:03.750
by evil terrorists and they were doing naughty things.

18:03.750 --> 18:10.620
The problem we have is that we can have real time problems with our certificate so we need some kind

18:10.620 --> 18:14.680
of way to check and see if even the local certificates are bad.

18:14.760 --> 18:17.010
To say nothing about the certificate that we just got from eBay.

18:17.010 --> 18:18.720
So this is important.

18:18.720 --> 18:22.340
So what we have originally was the CRL.

18:22.350 --> 18:27.420
And if you remember that that was just a little your L that gives your system the opportunity to very

18:27.420 --> 18:28.940
quickly lose pretty fast.

18:28.930 --> 18:33.780
You can go to that you are ill and literally there's a list of a bunch of thumbprint numbers and these

18:33.780 --> 18:38.670
numbers which are unique to individual certificates say this one's bad and even says why they're bad

18:39.860 --> 18:41.720
so you can read.

18:41.720 --> 18:43.030
This is all done automatically.

18:43.030 --> 18:48.590
You don't have to do anything but your browser or whatever it might be will go in and using the CRL

18:48.590 --> 18:52.090
do a quick check to make sure everything's copacetic and happy.

18:52.160 --> 18:53.330
Now C-R our are great.

18:53.330 --> 18:54.880
We've used them for decades.

18:55.040 --> 18:57.830
But the problem with C-R else is that it can take up to.

18:57.950 --> 18:59.340
Depends on who you're talking to.

18:59.450 --> 19:04.790
But as much as 24 hours to react to a bad certificate in some fashion.

19:04.790 --> 19:09.830
Now keep in mind when I say that I'm not talking about expired certificates I'm not talking about certificates

19:09.830 --> 19:17.590
that you know you go to www.youtube.com and all of a sudden the certificates for w w w dot e boy dot

19:17.590 --> 19:18.740
com or something like that.

19:18.740 --> 19:22.190
Those are issues that are built in to your system to take care of that.

19:22.250 --> 19:27.830
I'm talking about something that wouldn't normally be caught a certificate that's been revoked for some

19:27.830 --> 19:32.390
reason or another and that's where the sea trials really have a bit of a problem because it can take

19:32.390 --> 19:33.040
so long.

19:33.230 --> 19:40.460
And that's why we turn to a more modern feature called Online certificates status protocol or CSP.

19:40.460 --> 19:47.450
CSP were very similar early to CRL but the one big differences that's pretty much real time is virtually

19:47.810 --> 19:52.150
real time in terms of being able to check whether a certificate is good or not.

19:52.160 --> 19:59.270
See our are starting to fade and CSP is the beautiful thing that we're using today so that my friends

19:59.390 --> 20:05.510
is a very light touch and certainly good enough for security plus level touch on public key infrastructure.

20:05.510 --> 20:10.910
Public infrastructure is amazing stuff and it's really gives us that first opportunity to dig in and

20:10.970 --> 20:12.400
understand certificates.

20:12.440 --> 20:14.300
Make sure you know why we have certificates.

20:14.300 --> 20:16.730
Make sure you know what a certificate looks like.

20:16.730 --> 20:19.490
Make sure you know what a Certification Path is.

20:19.490 --> 20:24.020
Some of the things that we mentioned within the certificate are important and make sure you know your

20:24.020 --> 20:45.190
PKC Yes cause you're gonna see it on the exam.