iTunes | Stitcher | Google Play | TuneIn Radio | SoundCloud

Related Materials

Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy

PKI (public key infrastructure)

The Public Key Infrastructure Approach to Security

Podcast Transcript

Greg: Hey everyone, welcome to today's episode of Defrag This. I'm your ever gracious host, Greg Mooney and this is episode 8, "What is Public Key Infrastructure?"

Wow, we're already at eight episodes. I've been having a blast doing these podcasts and hope all of you out there have been enjoying them. You can always give your feedback and ask questions at @defrag_this on Twitter or in the comments section on the Defrag This blog (below).

Today is going to be an interesting discussion about public key infrastructure. On the phone today, I have our guest, Missy Januszko. Thanks for coming in today, Missy. How are you doing today?

Missy: I'm doing great. Great to be here.

Greg: Missy is an extremely experienced IT professional and writer with quite the track record. She's worked as a Technology Architect, sysadmin and IT Consultant for the likes of Cerner Corporation and Siemens Healthcare, just to name a few.

Just last week, Missy presented at the PowerShell and DevOps Global Summit 2017 in Bellevue, Washington, where she presented talks on getting started with a desired state configuration, also known as DSC in Powershell, as well as a talk in how to use DSC to create a public key infrastructure. She was also a panelist on Wednesday's discussion called "Introducing Our DevOps to Your Organization".

So Missy, could you tell us a little more about PowerShell and the DevOps Global Summit in general for those who may have not have heard of it? Also, who would you recommend attend this conference in the future?

Missy: Sure. So the PowerShell and DevOps Global Summit is an annual gathering of PowerShell enthusiasts from across the country and actually across the world. We had a number of people that actually came from all over the place including, you know, Europe and the U.S. It's a very small, intimate conference, it's about 300 people. The organizers try to keep everything very small and intimate so that we can actually network with the other community members and also with the members of the Microsoft PowerShell team, as well as Jeffrey Snover himself, the distinguished engineer who is in charge of PowerShell.

Greg: Oh wow, so he was there. So there was probably a lot of the PowerShell MVPs there visiting this as well, correct?

Missy: Yes, there were many PowerShell MVPs, including myself, which I have just been recently named as a PowerShell Cloud and data center MVP.

Greg: Oh, congratulations. I didn't know that.

Missy: Thank you.

Greg: That's awesome. So let's get into talking about your presentation. Can you tell us a little about what Public Key Infrastructure (PKI) is and why is it so important to maintain in a secure network environment?

Missy: Sure. If you think about a PKI, you've encountered a PKI before. When you go out to a website, such as your bank's website, you are connecting via HTTPS and you're putting in a URL into your browser, https, blah, blah, my bank.com. What you're basically doing is you are say...you are trusting that you are connecting to that website and that exact website. And that you're not connecting to anyone else. You're doing that via, what I call an external Public Key Infrastructure. Which is there are companies who run certification authorities for the internet. And a company such as a bank will go and get a certificate from one of these certification authorities saying, "I'm running this website and when people connect to me, I want to prove to them that I am this website."

Greg: Okay, so this is...all this is basically generally how encryption works I would assume over the web. So TLS and SSL?

Missy: Correct.

Greg: Gotcha. And so PKI, which we'll call it for short, is essentially a checks and balances of sorts to ensure that the person on the other end is who they say you are. How is the PKI in terms of security these days? I know there was once...there's been some controversy since such certificates can be corrupted at times and used as a vector of attack. Is this true and do you consider this a considerable risk?

Missy: There is definitely a risk in PKI but there's much more of a risk if you don't have one. Your risk is really, if you...in terms of maintenance, as far as are you keeping your PKI up to date? Are you...so recently, within the last year, everybody's been working on getting rid of their SHA-1 Certificates, which is the secure hash algorithm that has been either close to or...I don't remember if it's close to or if it's been compromised. But everyone has been moving to SHA-2 because this is the most recent, secure algorithm. So managing the risk is really about keeping your infrastructure up to date. Are you up to date on your revoked certificates? If a certificate was compromised and it was revoked by a public certificate authority, are you also maintaining the fact that that certificate was revoked so that it can't be used?

Greg: So now the fun question. Could you briefly tell us how you would go about setting up a PKI? I know you talked about it externally. From what I gather from your presentation, you can also do this internally, correct?

Missy: Correct. So my presentation was really about setting up an internal PKI. And the reason for this is because...and I'll go into a little bit of an explanation about DSC and desired state configuration. Desired State Configuration is a configuration management tool that is built into Windows on top of PowerShell that you can use to declare a configuration for your servers. So I say, "I want my server to have this software and this service running and this particular file in place," and DSC will automatically make that server according to how you want it. Now, there are times where pieces of that configuration need to run under alternate credentials. Maybe it's that you need to create an Active Directory user. And in order to do so, you need a credential that has authority to create that Active Directory user. Inside your configuration, you would specify that credential. But you don't want that credential to be in clear text in your files. So in order to encrypt the credentials inside your configuration, you need an internal PKI infrastructure to encrypt it.

Greg: Is there anything that someone should need to know before attempting such a feat? I know in your presentation, you talked about some of the struggles you encountered when setting this up.

Missy: Well, first of all, education is key because PKI is a very complex setup. And there are a lot of different best practices on how to configure a production worthy PKI. So education is key. There are also very, very many options on how you can configure a particular PKI. Maybe you have a certificate revocation list, you're maintaining your list of revoked certificates and you can choose to have that in your Active Directory or you know, in an IIS website or in a file. And you need to decide what is best for your organization as far as where you want to locate those things and then how to configure it.

Greg: Yeah, makes sense. And so...actually, maybe you could share some of the resources with us. I mean, I can probably put it on the blog for our listeners to read up on for some education. Do you know any sources off the top of your head that would be a great place to start?

Missy: For a Microsoft Certification Authority, I have a great TechNet article I can share with you. I don't have the URL off the top of my head but I have it bookmarked.

Greg: Oh great, yeah. Yeah, if you could send that over, we'll make sure that's, you know, available for the listeners of the podcast. But there you have it. You know, this is obviously a basic overview. There's a lot more that, as Missy said, you can dive into. But as you can see. PKI really is the heart of all online transactions. So thanks everyone for listening today. Remember you can follow us on Twitter at @defrag_this.

I like to thank you, Missy, for coming in today and sharing your thoughts and talking about your presentation. We really appreciate it.

Missy: Thank you for having me, it was a great time.

Greg: Thanks. So until next time folks, I'm your host, Greg Mooney. And stay safe out there.