# Certificates, Revocation, and Pinning One-sentence definition: X.509 certs bind identities to keys; revocation (CRL/OCSP) signals invalidation; **pinning** restricts accepted certs/keys. ## Key Facts - Fields: subject, issuer, validity, SANs, key usage, extensions. - Revocation: CRL (pull lists) vs OCSP (query status); stapling improves privacy/latency. - Pinning: trust specific key/cert/CA; beware operational brittleness. - Renewal and rotation policies prevent expiry outages. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose OCSP stapling to avoid client privacy leak/latency. **Mnemonic:** “**Check** before you **trust**.” ## Mini Scenario Q: Mobile app should only trust your backend—design? A: Key pinning with update/rollover plan. ## Revision Checklist - Contrast CRL vs OCSP vs stapling. - Define pinning risk/benefit. - Name two key certificate fields. ## Related [[Public Key Infrastructure (PKI) Components]] · [[Asymmetric Encryption Overview (RSA, ECC)]] · [[Hashing, HMAC, and Digital Signatures]] · [[Symmetric Encryption Overview]] · [[Block Cipher Modes (ECB, CBC, CTR, GCM)]] · [[Domain 3 - Index]]