Master certificate and PKI vocabulary: X.509, CA hierarchy, CSR, SAN, certificate lifecycle, and trust stores.
0 / 5 completed
1 / 5
A Certificate Signing Request (CSR) is:
A CSR is generated by the certificate applicant — it contains the public key and subject details (domain, organisation). The CA verifies and signs it to produce the certificate.
2 / 5
Subject Alternative Names (SANs) in a certificate allow:
SANs extend a certificate to cover multiple domains (e.g., example.com, www.example.com, api.example.com) in one certificate, replacing the older CN-only approach.
3 / 5
What does an intermediate CA (Certificate Authority) do?
Intermediate CAs are signed by the root CA and issue end-entity certificates. The root CA remains offline for security — if an intermediate is compromised, only its certificates need revocation.
4 / 5
Certificate pinning means:
Certificate pinning prevents MITM attacks by rejecting any certificate not matching the pinned value — risky because it breaks when the certificate legitimately rotates.
5 / 5
OCSP (Online Certificate Status Protocol) is used to:
OCSP allows clients to query the CA in real-time about a specific certificate's revocation status — a faster alternative to downloading the full Certificate Revocation List (CRL).