CompTIA Security+ PKI Explained: Certificates, CAs, and the Chain of Trust

Security+ is broad, vendor-neutral, and tied to real exam constraints. The current CompTIA exam is SY0-701. It costs $425, allows maximum of 90 questions in 90 minutes, and requires 750 on a scale of 100-900 to pass.

How PKI works

A server generates a key pair and creates a Certificate Signing Request (CSR). A Certificate Authority (CA) validates the request and signs the certificate. When a browser connects over HTTPS on port 443, the server presents the certificate. The browser checks whether the issuing chain links back to a trusted root CA, whether the certificate is within its validity period, whether the hostname matches, and whether revocation data indicates the certificate is still valid.

Revocation mechanisms

CRL (Certificate Revocation List) is a published list of revoked certificates that clients download and check. OCSP (Online Certificate Status Protocol) allows real-time revocation checking without downloading the full CRL. OCSP stapling allows the server to include a fresh OCSP response with the certificate presentation, reducing client-side latency.

Key terms for instant recall

CSR, CA, root CA, intermediate CA, certificate chain, CRL, OCSP, public key, private key, digital signature, non-repudiation. Know what each term does in the context of establishing a trusted HTTPS connection.

What should you do with this information next?

Our CompTIA Security+ study guide covers all five SY0-701 domains. Available at securitypluscertprep.com/guide.

SimpuTech's Security+ AI tutor can build a personalized study plan. Try it at SimpuTech.com.