Module 2: Cryptography and PKI Foundations Slides

Slide Outline

1. Cryptography and PKI Foundations - The cryptographic building blocks that make SPIFFE possible
2. Learning Objectives - 4 outcomes for this module
3. Why This Module Matters - Every identity system in cloud-native infrastructure — mTLS, JWT authentication, certificate rotation, federation — is b
4. Cryptography Fundamentals - Lesson section from the full module
5. Public Key Infrastructure (PKI) - Lesson section from the full module
6. X.509 Certificates Explained - Lesson section from the full module
7. Mutual TLS (mTLS) - Lesson section from the full module
8. Certificate Rotation - Lesson section from the full module
9. JWT Fundamentals - Lesson section from the full module
10. Real-World Use Cases - Service-to-service mTLS in Kubernetes — encrypted and authenticated communication, API gateway JWT verification — validating service identity at the edge
11. Common Mistakes to Avoid - 4 mistakes covered
12. Production Notes - 3 practical notes
13. Hands-On Labs - 3 hands-on labs
14. Key Takeaways - 6 points to remember

Learning Objectives

• Understand symmetric vs asymmetric encryption
• Learn how PKI and certificate authorities work
• Master X.509 certificates and certificate chains
• Implement mutual TLS between services

Why This Module Matters

Every identity system in cloud-native infrastructure — mTLS, JWT authentication, certificate rotation, federation — is built on these cryptographic primitives. Without understanding PKI and certificate chains, SPIRE configurations feel like magic incantations. With this foundation, you will understand WHY SPIRE makes specific design choices and how to debug certificate failures in production.

Production Notes

• Never use self-signed certificates for end-entity SVIDs in production. Always use a proper CA hierarchy with an offline Root CA and online Intermediate CA.
• Certificate TTL should be as short as your rotation mechanism supports. SPIRE defaults to 1 hour — this is a good production baseline.
• Always verify the full certificate chain, not just the end-entity certificate. Chain verification prevents man-in-the-middle attacks with rogue CAs.

Common Mistakes

• Using RSA-2048 when ECDSA P-256 is faster and equally secure for short-lived certificates
• Storing CA private keys on disk without hardware security module (HSM) protection
• Not monitoring certificate expiration — silent expiry causes sudden production outages
• Confusing certificate authentication with certificate authorization — a valid cert proves identity, not permissions

Key Takeaways

• Asymmetric encryption solves the key distribution problem
• PKI provides a scalable trust hierarchy for certificate management
• X.509 certificates bind a public key to an identity
• mTLS authenticates BOTH client and server — the foundation of zero trust
• Short-lived certificates limit blast radius but require automatic rotation
• SPIFFE uses X.509 and JWT as its two SVID formats

Hands-On Labs

1. Creating a Root Certificate Authority

   Build a PKI hierarchy from scratch using OpenSSL.

   • Generate a Root CA private key and self-signed certificate
   • Generate an Intermediate CA key and CSR
   • Sign the Intermediate CA certificate with the Root CA
   • Verify the certificate chain

   View lab files on GitHub

2. Generating and Signing Certificates

   Issue end-entity certificates for services.

   • Generate a private key for a service
   • Create a CSR with SPIFFE ID in the SAN field
   • Sign the certificate with the Intermediate CA
   • Inspect the certificate with openssl x509 -text

   View lab files on GitHub

3. Establishing mTLS Between Services

   Configure two services to mutually authenticate with certificates.

   • Start a TLS server that requires client certificates
   • Start a TLS client that presents its certificate
   • Verify that both sides authenticate each other
   • Observe the connection failing with an invalid or missing certificate

   View lab files on GitHub