Category: Security
All PKI knowledge base pages in the "Security" category.
- CA Compromise: Attack Scenarios, Detection & Recovery Playbook — What happens when your Certificate Authority is compromised. Real-world attack patterns, early detection indicators, and step-by-step incident recovery procedures.
- Certificate Pinning: When to Use It, When to Kill It — Why pinning helps against rogue CAs, how leaf, SPKI, and CA pins differ, why HPKP failed, where pinning still fits (mobile, IoT, mTLS), and when CT and CAA are enough.
- Hybrid PQC Certificates: Generation, Testing, and Compatibility — Composite vs catalyst hybrid X.509, OpenSSL 3.5 and oqs-provider workflows, certificate size impact, TLS testing with hybrid KEM, and what to deploy in production now.
- Key Management Best Practices: Rotation, Storage & Access Control — Enterprise key management done right. Key rotation schedules, secure storage options, access control policies, and compliance requirements for FIPS and PCI.
- NIST PQC Algorithms for PKI Engineers: ML-KEM, ML-DSA, SLH-DSA — Engineer reference for FIPS 203/204/205: ML-KEM, ML-DSA, SLH-DSA—sizes, roles in TLS and PKI, OpenSSL 3.5 usage, CNSA 2.0 alignment, and selection guidance.
- PKI Attack Vectors: From Heartbleed to Nation-State CA Compromise — Comprehensive PKI threat analysis. Cryptographic attacks (MD5 collisions, ROCA), protocol vulnerabilities (BEAST, CRIME), rogue CA issuance, and defense-in-depth strategies with code examples.
- PKI Audit Checklist: WebTrust, ETSI & Browser Root Program Requirements — Pass your PKI audit. Certificate Policy templates, CPS structure (RFC 3647), CA/Browser Forum baseline requirements, and continuous compliance automation for public and private CAs.
- PKI Incident Response: Certificate Breach Detection & Recovery — How to respond to PKI security incidents. Key compromise detection, emergency revocation procedures, root CA breach recovery, and post-incident analysis.
- PKI Vulnerabilities: Domain Validation Bypass, Weak Keys & CA Exploits — From DigiNotar to domain validation bypass: how CAs get compromised. Weak key generation, BGP hijacking for fraudulent certs, supply chain attacks, and how to detect and prevent each.
- Private Key Protection: HSM, TPM & Software Vault Security Options — How to protect private keys in enterprise PKI. Compare HSM, TPM, and software-based protection with compliance implications for FIPS 140-2 and PCI DSS.
- Wildcard Certificates: Security Risks, Scope Creep & Alternatives — Why wildcard TLS/SSL certificates create security vulnerabilities — shared keys, scope creep, fleet-wide revocation — and how SAN or per-service certs with ACME and DNS-01 automation reduce risk.