dyzulk/trustlab-docs
1
0
Fork 0
mirror of https://github.com/dyzulk/trustlab-docs.git synced 2026-01-26 21:41:54 +07:00
Code Issues Packages Projects Releases Wiki Activity
Files
a5eebe25ee1087f200d6d61f010df7d2e1f63f1c
trustlab-docs/pages/guide/concepts/pki-fundamentals.mdx

90 lines
4.2 KiB
Plaintext
Raw Blame History

---
id: pki-fundamentals
title: PKI Fundamentals & Trust Context
description: Public Key Infrastructure (PKI) is the framework that allows secure communication over the internet.
---
import { Callout, Cards, Card } from 'nextra/components'
import { ShieldCheck, ShieldAlert, BadgeCheck, Lock, Key, Link, CheckCircle2, XCircle } from 'lucide-react'
# PKI Fundamentals & Trust Context
**Public Key Infrastructure (PKI)** is the framework that allows secure communication over the internet. It relies on cryptographic keys and a chain of trust to verify identities.
## Core Concepts
Understanding these two mechanisms is essential to understanding how TrustLab works.
### 1. Asymmetric Encryption
Secure communication relies on a pair of keys:
* <Key className="inline w-4 h-4 mr-1"/> **Public Key**: Shared with everyone. Used to **encrypt** data.
* <Lock className="inline w-4 h-4 mr-1"/> **Private Key**: Kept secret. Used to **decrypt** data and **sign** digital assets.
### 2. The Chain of Trust
A certificate is only trusted if it is signed by a known authority. This forms a chain:
* **Root CA**: The trusted anchor. It signs itself. You must install this on your device to trust the chain.
* **Intermediate CA**: Signed by the Root CA. Used to sign day-to-day certificates for security.
* **Leaf Certificate**: The final certificate used on your Web Server or Email.
---
## The Two Lanes of Trust
The internet security model is built on two distinct "lanes". Mixing them up causes browser errors, but using them correctly provides **Military-Grade Security**.
<Cards>
<Card icon={<ShieldCheck />} title="Public Lane (Global)" href="#public-pki" arrow />
<Card icon={<Lock />} title="Private Lane (Internal)" href="#private-pki-trustlab" arrow />
</Cards>
### Public PKI
* **Issuer**: Let's Encrypt, DigiCert, Google Trust Services.
* **Trust Model**: Pre-installed in every browser/OS (Chrome, Windows, iOS) by default.
* **Limitation**: **Cannot** issue certificates for Private IPs (`192.168.x.x`) or Internal Domains (`.local`, `.lan`).
### Private PKI (TrustLab)
* **Issuer**: TrustLab Root CA (Your Organization).
* **Trust Model**: Trusted **ONLY** by devices that have explicitly installed your Root CA.
* **Superpower**: Can secure **ANYTHING** internal (Localhost, Database Servers, IoT).
---
## Why "Military Grade"?
TrustLab utilizes **OpenSSL**, the same cryptographic core used by the world's highly secure networks.
| Feature | TrustLab (Private) | Public CA (Paid) |
| :--- | :--- | :--- |
| **Encryption** | RSA-2048 / RSA-4096 | RSA-2048 / RSA-4096 |
| **Signature** | SHA-256 | SHA-256 |
| **Protocol** | TLS 1.2 / 1.3 | TLS 1.2 / 1.3 |
| **Global Trust** | <XCircle className="inline w-4 h-4 text-red-500"/> (Manual Install) | <CheckCircle2 className="inline w-4 h-4 text-green-500"/> (Pre-installed) |
| **Internal IPs** | <CheckCircle2 className="inline w-4 h-4 text-green-500"/> Supported | <XCircle className="inline w-4 h-4 text-red-500"/> Forbidden |
| **Cost** | **Free** | $400+/month (Private CA) |
## Appropriate Use Cases
<Callout type="info" emoji={<BadgeCheck className="w-5 h-5" />}>
**The Golden Rule:**
Use **TrustLab** for anything the Public Internet CANNOT access.
Use **Public CAs** for anything the Public Internet MUST access.
</Callout>
### <CheckCircle2 className="inline w-5 h-5 text-green-500 mr-2"/> Perfect For (Green Lane)
* **Internal Tools**: Admin Panels, HR Portals, Dashboards.
* **Development**: Testing HTTPS on `localhost` or `dev.local`.
* **Databases**: Securing connections to MySQL/Postgres/Mongo.
* **S/MIME**: Encrypting email between internal employees.
### <XCircle className="inline w-5 h-5 text-red-500 mr-2"/> Do Not Use For (Red Lane)
* **Public E-Commerce**: Your customer's browser will show a "Not Secure" warning.
* **Public Blogs/Websites**: Random visitors do not have your Root CA installed.
## The "Trust Split" Myth
There is **no conflict** between having TrustLab installed and visiting public websites.
* When you visit `google.com`, your browser uses the **Public Lane**.
* When you visit `intranet.corp`, your browser sees the TrustLab signature and uses the **Private Lane**.
They coexist peacefully, providing comprehensive security for your entire digital life.
Reference in New Issue View Git Blame Copy Permalink