A collection of articles, manuals, research papers, blogs, videos and software somehow related to the Public Key Cryptography (PKI).
The organizations behind the browser and the operating system development maintain the most widely used collections of up-to-date certificate authority certificates.
Root programs keep the list up-to-date and work together on the process standardization.
Chrome Root Program
Mozilla's CA Certificate Program
Apple Root Certificate Program
Microsoft Trusted Root Certificate Program
The Common CA Database (CCADB) - managed by Mozilla, supported by Microsoft & Google
Everything you Never Wanted to Know about PKI but were Forced to Find Out (PDF) - by Peter Gutmann
PKI: It’s Not Dead,Just Resting (PDF) - Peter Gutmann
X.509 Style Guide - by Peter Gutmann
SSL/TLS and PKI History - Feisty Duck
How to build your own public key infrastructure - The Cloudflare Blog
Everything you should know about certificates and PKI but are too afraid to ask - Smallstep Labs blog
Path Building vs Path Verifying: The Chain of Pain
Certificate Transparency: a bird's-eye view
Key Management Cheat Sheet, OWASP
Certificate Policy and Certification Practice Statement documents for ISRG / Let's Encrypt
Checklist on building an Offline Root & Intermediate Certificate Authority (CA) - Stack Overflow
Certificate Authority with a YubiKey
Get started with the Nitrokey HSM or SmartCard-HSM
Why I don't like smartcards, HSMs, YubiKeys, etc. - Hacker News
The Untold Story of PKCS#11 HSM Vulnerabilities - Cryptosense
A survey of Hardware Crypto Devices (PDF) - cryptotronix
Linux smart cards (OpenSC) - How-to - Cédric Dufour blog
Key Management and use cases for HSMs - Cryptomathic
What is Key Management? a CISO Perspective - Cryptomathic
The Definitive Guide to Encryption Key Management Fundamentals - Townsend Security
Example of an IANA DNSSEC signing ceremony - not x509, but describes the procedure of a serious key ceremony
Security Concepts, Subsection 28.9: Key Management - blog of Travis
NIST Key Management Guidelines
NIST Cryptographic Module Validation Program
Commercial Cryptographic Key Management in 2018
Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications, Ivan Ristić
Cryptography Engineering: Design Principles and Practical Applications, Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno
Security Engineering, The Second Edition (2008) - Chapter 21: Network Attack and Defence, Ross Anderson
Encyclopedia of Cryptography and Security, Henk C.A. van Tilborg
Architecture for Public-Key Infrastructure (APKI), The Open Group Guide, 1999
Is the Web Ready for OCSP Must-Staple? (PDF)
The First Ten Years of Public-Key Cryptography - Whitfield Diffie (PDF)
Hackable Security Modules: reversing and exploiting a FIPS 140-2 lvl3 HSM firmware - video, PDF
PKI Bootcamp by Paul Turner - Playlist
How to be a Certificate Authority, feat. Ryan Sleevi - Security. Cryptography. Whatever. podcast
Software | pkcs11 support | ACME support | Notes |
---|---|---|---|
Let's Encrypt Boulder | yes | yes | not much documentation, no commercial support |
step-ca | yes | yes | cloud-ready CA with the commercial support |
EJBCA | yes | yes | $$$$ commercial support |
Dogtag Certificate System | yes | yes | n/a |
HashiCorp Vault PKI backend | no (only enterprise?) | no | API based CA |
CFSSL | no | no | PKI toolkit with an API |
easy-rsa | no | no | easy-rsa - Simple shell based CA utility |
OpenSSL Certificate Authority | yes | no | shell based CA leveraging OpenSSL |
XCA | yes | no | Certificate authority with a comprehensive GUI |