Episode 75: Security Awareness Training and Programs
Welcome to The Bare Metal Cyber CISA Prepcast. This series helps you prepare for the exam with focused explanations and practical context.
Public Key Infrastructure, or PKI, is a foundational technology that enables secure digital communication. It is the framework that supports public key encryption, digital certificates, and the validation of identity in online environments. PKI makes it possible to authenticate users and systems, encrypt data securely, and apply digital signatures that confirm the integrity and origin of messages or documents. It plays a central role in protecting confidentiality, ensuring data integrity, and enforcing non-repudiation in modern IT systems. Without PKI, tools such as secure web browsing, encrypted email, digital document signing, and certificate-based VPN authentication would not function properly. PKI is deeply embedded in nearly every secure transaction, from banking websites to corporate logins. The CISA exam frequently tests a candidate’s understanding of how PKI operates, how certificates are validated, and how this infrastructure is governed and audited in enterprise environments.
The structure of PKI is built around several core components, each with a specific role in enabling trust and encryption. The Certificate Authority, or CA, is a trusted entity that issues and signs digital certificates, effectively validating the ownership of public keys. The Registration Authority, or RA, acts as an identity verification checkpoint, confirming that certificate requests come from legitimate sources before forwarding them to the CA. Digital certificates bind a public key to a verified identity—this identity may represent a person, a system, or a device. Certificates include information such as the issuing authority, the public key, expiration dates, and permitted uses. The Certificate Revocation List and the Online Certificate Status Protocol are both used to revoke or verify the status of certificates that are no longer trusted. All of this is made possible through the use of asymmetric key pairs, with one public key that is shared and one private key that must be kept secret. Each element in this structure must function reliably for PKI to deliver secure communication.
Digital certificates operate at the heart of PKI by making encryption and identity verification scalable and trustworthy. A digital certificate confirms that a particular public key belongs to a known and verified subject. When a certificate is issued, it includes a public key, identity information, validity dates, and a digital signature from the Certificate Authority. When users or systems attempt to authenticate or encrypt communications, the recipient can verify the certificate's signature using the CA’s public key. If this verification succeeds, trust is established. This model relies on certificate chains, where trust is inherited from higher authorities, often beginning with a trusted root CA. Expired certificates or those that have been revoked must not be accepted. Self-signed certificates may be used in limited testing scenarios, but they lack third-party validation and are considered insecure in production. On the CISA exam, candidates may be asked to evaluate how certificate validation works, or identify weaknesses in trust chains and certificate expiration handling.
PKI is applied in a variety of important use cases across different technologies and industries. One of the most well-known applications is the use of HTTPS, where web servers present digital certificates to encrypt sessions and authenticate their identity. PKI also enables secure email through standards such as S/MIME, which provide digital signing and end-to-end encryption. In the software development world, code signing is used to validate the source and integrity of executables and scripts. Without code signing, users have no assurance that software has not been altered by an attacker. PKI is also used in network authentication, such as establishing secure VPN connections or granting access to Wi-Fi networks using certificates instead of passwords. In enterprise environments, digital document signing is increasingly used for contracts and other high-trust transactions. These use cases demonstrate that PKI is not theoretical—it is used every day to support trust and security across a wide range of business functions.
Certificate lifecycle management is critical to PKI’s security and reliability. The lifecycle includes enrollment, issuance, renewal, and revocation. During enrollment, a user or system submits a certificate request through the Registration Authority, which verifies the identity and forwards the request to the Certificate Authority. Once approved, the CA issues the certificate and records it in a trusted repository. Certificates must be renewed before they expire to maintain continuity of service and avoid trust failures. If a certificate is compromised, no longer needed, or issued in error, it must be revoked immediately. Revocation is managed through CRLs or online status checking protocols, and systems must be configured to check these revocation lists before trusting a certificate. Auditors must ensure that each lifecycle stage is followed properly, logged, and subject to internal controls. The CISA exam often tests lifecycle governance, especially in scenarios where expired or improperly revoked certificates lead to outages or vulnerabilities.
Private key protection is essential for the security of public key cryptography. If the private key associated with a certificate is stolen, attackers can impersonate the certificate owner, decrypt sensitive information, or sign malicious content. Private keys must be stored securely, often in hardware tokens, trusted platform modules, or hardware security modules. Access to private keys must be limited, encrypted, and governed by strong authentication controls. Keys should be rotated periodically, and old certificates should be revoked and replaced. Private key files must never be stored unencrypted or left on shared drives. Password protection and encryption for software-based keys are basic requirements. Auditors evaluate whether private key storage is properly managed and whether there are procedures in place to detect and respond to key compromise. The CISA exam may present scenarios involving compromised credentials or weak storage methods and ask candidates to identify the associated risks or remediation steps.
Trust models define how PKI authorities are structured and how trust relationships are validated. In a single CA model, one central authority handles all certificate issuance, which simplifies management but creates a single point of failure. A hierarchical trust model starts with a root CA that delegates authority to one or more intermediate CAs, allowing for scalability and better isolation of risk. In contrast, a web of trust model does not rely on a central authority but instead uses peer validation—this is common in systems like Pretty Good Privacy. Each model has strengths and weaknesses depending on the use case. Organizations must choose a model that aligns with their governance capabilities, risk tolerance, and scalability needs. Auditors review whether the trust model is documented, whether root and intermediate certificates are protected, and whether trust chains are valid and current. On the exam, CISA candidates must understand which model fits a given environment and be able to assess risks within the trust hierarchy.
Despite its benefits, PKI introduces several challenges in certificate management and operational risk. One common problem is forgotten expiration dates. When certificates are not renewed in time, services may become unavailable, triggering outages or application failures. Overuse of wildcard certificates, which secure multiple subdomains under one certificate, reduces visibility and increases risk if a key is compromised. Self-signed certificates, while easy to generate, do not provide third-party validation and can be exploited to deceive users. In some cases, certificates are issued but not tracked, leading to gaps in visibility and unexpected vulnerabilities. If revocation checking is not configured properly, compromised certificates may continue to be accepted, undermining trust. These challenges demonstrate why certificate management must be closely governed and monitored. CISA exam questions may focus on how poor PKI oversight leads to systemic risk and what steps should be taken to regain control over the certificate ecosystem.
Logging, monitoring, and alerting are necessary for maintaining PKI integrity and responding to emerging risks. All certificate-related activity should be logged, including issuance, renewal, revocation, and key usage. Logs should include time stamps, requestor identity, system origin, and action taken. Alerts must be configured for unusual activity, such as unauthorized certificate requests, access to private key stores, or abnormal revocation patterns. Monitoring should include checking for certificates nearing expiration, those not aligned with policy, or those used in unexpected places. Logs should be retained according to legal and regulatory requirements and made available for compliance reviews or incident investigations. Auditors examine the completeness, integrity, and accessibility of certificate logs and assess whether alerts are meaningful and actionable. For CISA candidates, it is important to know what should be logged, how to detect misuse, and how alerting can help prevent or limit the impact of certificate-based attacks.
For CISA candidates, understanding Public Key Infrastructure is essential for evaluating how trust is established, maintained, and monitored in digital systems. You must be able to assess how certificates are issued, how private keys are stored, and how trust is validated across systems. Be prepared to audit the certificate lifecycle, review key management practices, and evaluate certificate authority protections. Expect exam questions that explore issues like expired certificates, misused keys, or untrusted certificate chains. Auditors must verify that the PKI implementation is secure, scalable, and aligned with business risk. Certificates that are untracked or improperly governed may create hidden vulnerabilities that undermine the entire security model. PKI enables trusted communication, but only when its components are properly configured, monitored, and maintained. A weak PKI is not just a technical flaw—it is a critical audit finding that must be addressed with urgency and precision.
Thanks for joining us for this episode of The Bare Metal Cyber CISA Prepcast. For more episodes, tools, and study support, visit us at Baremetalcyber.com.
