1. Certificate Issuance Process
π PKI Theory (Textbook)
START
β
[User generates key pair]
β
[Create CSR with public key]
β
[Submit CSR to RA]
β
[RA validates identity]
β
[RA forwards to CA]
β
[CA signs certificate]
β
[Certificate issued instantly]
β
[User installs certificate]
β
END (Success)
π Real-World Operation
START
β
[User tries to generate key pair]
β
[Wrong key size selected] ββββ [Regenerate]
β β
[Create CSR] |
β |
[Missing required fields] ββββββββ
β
[Submit to RA web portal]
β
[Portal timeout/error] ββββ [Retry 3 times]
β β
[RA manual review] [Call support]
β β
[Additional documents] βββββββ
β
[Wait 2-5 business days]
β
[CA processing queue]
β
[Certificate issued]
β
[Email notification goes to spam]
β
[Find certificate 3 days later]
β
[Installation fails - wrong format]
β
[Convert PEM to DER]
β
[Finally installed]
β
END (Success after 1 week)
2. Certificate Validation Process
π PKI Theory
START: Client connects to server
β
[Receive server certificate]
β
[Check validity period] βββ Valid? βββ No βββ [REJECT]
β Yes
[Verify signature with CA public key]
β
[Check revocation status (CRL/OCSP)]
β
[Build certificate chain to root]
β
[All checks pass]
β
[ACCEPT - Establish connection]
β
END
π Real-World Operation
START: Client connects to server
β
[Receive server certificate]
β
[Check validity period]
β
Valid? ββNoβββ [Certificate expired]
β Yes β
[Verify signature] [Show warning]
β β
[Check revocation] [User clicks "Continue Anyway"]
β β
[OCSP responder] [Connection established with expired cert]
β β
[Timeout after] END (Insecure)
[30 seconds]
β
[Fallback to CRL]
β
[CRL download: 50MB file]
β
[Network congestion]
β
[CRL 2 days old - stale]
β
[Skip revocation check]
β [Clock skew on client]
[Build cert chain] β
β [Validation fails]
[Missing intermediate] β
β [User ignores error]
[Fetch from AIA] β
β [Proceeds anyway]
[Server slow response]
β
[Use cached intermediate cert]
β
[Certificate pinning fails]
β
[Developer disabled pinning for testing]
β
[ACCEPT despite multiple issues]
β
END (Connected with warnings ignored)
3. Certificate Revocation Handling
π PKI Theory
START: Private key compromised
β
[Immediately notify CA]
β
[CA revokes certificate]
β
[Add to CRL instantly]
β
[Update OCSP responder]
β
[All clients check revocation]
β
[Revoked cert rejected everywhere]
β
END (Security maintained)
π Real-World Operation
START: Private key compromised
β
[Discover breach 3 months later]
β
[Security team meeting]
β
[Debate severity]
β
[Wait for management approval]
β
[2 weeks later: Contact CA]
β
[CA support ticket created]
β
[Priority: "Normal" - 5 day SLA]
β
[Escalate to "Urgent"]
β
[CA revokes certificate]
β
[Add to CRL] βββββββββββββββββ
β β
[CRL published every 24hrs] [Update OCSP]
β β
[CDN propagation delay] [OCSP cache: 7 days]
β β
[Some clients using] [Stale responses]
[week-old cached CRL] β
β [Soft-fail mode enabled]
[Client A: Checks CRL] β
β [OCSP timeout = allow]
[Rejects cert] β β
β [Client B: OCSP check]
[Client C: No revocation] β
[check implemented] [Gets cached "Good" response]
β β
[Accepts revoked cert] β [Accepts revoked cert] β
β β
[Breach continues on] [Breach continues on]
[legacy systems] [mobile apps]
β
END (Partial security - 60% coverage)
4. Key Management Lifecycle
π PKI Theory
START
β
[Generate key pair]
β
[Store private key securely in HSM]
β
[Use key for operations]
β
[Key rotation at scheduled interval]
β
[Secure key destruction]
β
END (Clean lifecycle)
π Real-World Operation
START
β
[Generate key pair on developer laptop]
β
[Copy private key to multiple servers]
β β
[Email key to coworker] [Store in Git repo]
β β
[Key in backup files] [Accidentally public]
β β
[HSM too expensive] [Commit reverted]
β β
[Store on file share] [But in Git history]
β β
[Share drive permissions] β
[misconfigured - world readable]
β
[Key rotation policy: "Annually"]
β
[Year passes]
β
[No one remembers policy]
β
[Key now 5 years old]
β
[Finally rotate key]
β
[Old key "securely deleted"]
β
[Still in 47 backup locations]
β
[Still in VM snapshots]
β
[Still on decommissioned servers]
β
[Still on USB drive in drawer]
β
END (Key lifecycle unclear)
5. TLS Handshake Process
π PKI Theory
START
β
[Client Hello]
β
[Server Hello + Certificate]
β
[Client validates certificate]
β
[Key exchange]
β
[Generate session keys]
β
[Encrypted communication begins]
β
END (Secure channel established - 100ms)
π Real-World Operation
START
β
[Client Hello]
β
[Server Hello]
β
[Certificate chain transmission]
β
[Chain has 5 intermediates - not 3]
β
[Extra 200ms latency]
β
[Client validates certificate]
β
[OCSP check] βββββ [Timeout after 5sec]
β β
[Continue anyway] [Soft-fail allows]
β
[Key exchange]
β
[Weak cipher selected]
β
[TLS 1.0 fallback due to]
[legacy system compatibility]
β
[Security scan flags weak cipher]
β
[WAF in front adds extra handshake]
β
[Load balancer terminates TLS]
β
[Re-encrypts to backend]
β
[Backend uses self-signed cert]
β
[Certificate validation disabled]
[between LB and backend]
β
[Application finally receives request]
β
END (Connected after 3 seconds,
multiple security compromises)
6. Multi-Domain Certificate Deployment
π PKI Theory
START
β
[Purchase wildcard cert]
β
[Install on all servers]
β
[All domains secured]
β
END (Simple deployment)
π Real-World Operation
START
β
[Purchase wildcard cert for *.company.com]
β
[Deploy to web servers]
β
[Need cert for *.internal.company.com] ββ [Wildcard doesn't cover]
β β
[Buy separate cert] [Exception request]
β β
[Deploy to app servers] [Use self-signed for now]
β β
[Need cert for mail.company.com] [6 months pass]
β β
[Wildcard covers this] ["Temporary" cert still in use]
β
[But mail server uses different vendor]
β
[Vendor requires their CA]
β
[Now managing 3 different CAs]
β
[Renewal dates all different]
β
[Server 1: Cert expires]
β
[Monitoring missed alert]
β
[Users report SSL errors]
β
[Emergency renewal]
β
[Deploy to 47 servers]
β
[Forget server #23]
β
[Errors continue]
β
[Track down missing server]
β
[Deploy to server #23]
β
[But cert has wrong SAN entries]
β
[Re-issue certificate]
β
[Deploy again to 47 servers]
β
[Create spreadsheet to track all certs]
β
[Spreadsheet immediately out of date]
β
END (Eventually working, fragile state)
7. Certificate Monitoring & Renewal
π PKI Theory
START
β
[Automated monitoring system]
β
[Alert 30 days before expiry]
β
[Auto-renewal via ACME protocol]
β
[New cert deployed automatically]
β
[Zero downtime]
β
END (Seamless renewal)
π Real-World Operation
START
β
[Manual spreadsheet tracking]
β
[Spreadsheet on someone's laptop]
β
[That person left company]
β
[Cert expires on Saturday night]
β
[Website down]
β
[On-call engineer paged at 2 AM]
β
[Engineer doesn't have CA credentials]
β
[Call manager]
β
[Manager on vacation]
β
[Find alternate contact]
β
[Emergency purchase authority]
β
[CA portal down for maintenance]
β
[Wait 4 hours]
β
[Portal back up]
β
[Purchase new cert]
β
[Validation email sent to]
[former employee's address]
β
[Request email resend]
β
[IT scrambles to create alias]
β
[Validation complete 6 hours later]
β
[Deploy new cert]
β
[Deployment script fails]
β
[Manual deployment to each server]
β
[Website back up 14 hours later]
β
[Post-mortem meeting scheduled]
β
[Action item: Implement monitoring]
β
[Monitoring project added to backlog]
β
[Priority: "Medium"]
β
[Never implemented]
β
END (Ready for next outage)
8. Internal CA vs Public CA Decision
π PKI Theory
START
β
[Internal services] β [Use Internal CA]
β
[External services] β [Use Public CA]
β
END (Clear separation)
π Real-World Operation
START
β
[Use Internal CA for internal services]
β
[Deploy root cert to all employee devices]
β
[Mobile devices not included]
β
[Mobile users get cert errors]
β
[Train users to click "Accept"]
β
[Users now trained to ignore cert warnings]
β
[Partner company needs access]
β
[Can't deploy internal CA to partners]
β
[Create exception with public cert]
β
[Now maintaining two systems]
β
[Contractor laptops not managed]
β
[More exceptions needed]
β
[VPN requires client cert]
β
[But uses public CA for web interface]
β
[And internal CA for auth]
β
[Certificate management nightmare]
β
[Team proposes: "Use public CA for everything"]
β
[Finance rejects due to cost]
β
[Team proposes: "Use Let's Encrypt"]
β
[Security rejects: "Not approved vendor"]
β
[Continue with hybrid mess]
β
[Create 200-page documentation]
β
[No one reads it]
β
END (Complicated, inconsistent state)
Key Differences Summary
| Aspect | Theory | Reality |
|---|---|---|
| Timeline | Minutes | Days to weeks |
| Success Rate | 100% | 60-80% on first attempt |
| Automation | Fully automated | Mostly manual with scripts |
| Errors | None | Multiple retries common |
| Documentation | Up to date | Outdated or missing |
| Human Factor | Perfect execution | Mistakes, delays, politics |
| Security | No compromises | Multiple workarounds |
| Cost | Planned budget | Exceeds budget + emergency costs |
Common Real-World Issues Not in Theory
[Certificate Pinning]
β
[App update impossible] β [Hardcoded pin expired]
β
[Emergency bypass] β [Security weakened]
[Cross-Platform Issues]
β
[Works on Windows] β [Fails on Linux]
β
[Different cert formats] β [Conversion errors]
[Legacy System Integration]
β
[Old system requires MD5] β [Incompatible with modern certs]
β
[Security exception granted] β [Vulnerability remains]
[Vendor Lock-in]
β
[CA switch needed] β [Apps hardcoded to old CA]
β
[Cannot migrate] β [Paying for two CAs]Β This comparison highlights why the Information Security Support Professional exam includes practical scenariosβtheory alone doesn't prepare you for real-world PKI operations!