Amarjeet Shukla

Ssh

SSH keys are cryptographic key pairs used to authenticate users and systems to SSH servers without passwords. Here's how they work, which algorithms to use, and where key management fails at scale.

Standards

NIST SP 800-57 defines how cryptographic keys should be managed throughout their lifecycle: generation, use, rotation, and destruction. Here's what it recommends, what crypto-periods mean, and how it applies to certificate and key management.

Standards

FIPS 140 defines security requirements for cryptographic modules (HSMs, software libraries, hardware tokens). Here's what the levels mean, when you need it, and what FIPS compliance actually requires operationally.

Cryptography fundamentals

A digital signature proves who created a message and that it hasn't been modified. Here's how signing works with RSA and ECDSA, where signatures are used in PKI, and where verification fails.

Protocols

Certificate Transparency requires all publicly-trusted certificates to be logged in append-only public logs. Here's how CT works, what SCTs are, and how to monitor CT logs for unauthorized certificates issued for your domains.

Cryptography fundamentals

RSA is the most widely deployed asymmetric algorithm, used in TLS certificates, code signing, and key exchange. Here's how the math works, what key sizes to use, and why RSA is being replaced by ECC and post-quantum algorithms.

Key management

Key lifecycle management covers every stage a cryptographic key passes through: generation, distribution, use, rotation, archival, and destruction. Here's how to manage keys properly and where lifecycle gaps create risk.

Machine identity

Machine identity management is the discipline of issuing, tracking, and rotating cryptographic credentials for every non-human entity in your infrastructure. Here's what it covers, why it's growing exponentially, and where organizations lose visibility.

Protocols

EST (RFC 7030) is the modern replacement for SCEP, using HTTPS and TLS client authentication for secure certificate enrollment. Here's how it works, what it improves over SCEP, and where to use it.

Cryptography fundamentals

Asymmetric encryption uses a key pair — public key encrypts, private key decrypts. Here's how it enables TLS, digital signatures, and key exchange without sharing secrets.

Kubernetes

Kubernetes uses TLS certificates for cluster communication, ingress termination, and service-to-service encryption. Here's where certificates live in K8s, how they're managed, and where they expire without warning.

Clm

Certificate automation eliminates human involvement from enrollment through renewal. Here's how organizations automate at scale, what architecture patterns work, and where automation creates new failure modes.

Hsm

Cloud HSMs provide FIPS 140-2 Level 3 hardware key protection without managing physical devices. Here's how AWS CloudHSM, Azure Managed HSM, and Google Cloud HSM compare, and where cloud HSM creates operational dependencies.

Clm

Certificate enrollment is the process of requesting, validating, and receiving a signed certificate from a CA. Here's how enrollment works across protocols (ACME, EST, SCEP, manual), what differs between them, and where enrollment fails silently.

Devsecops

CI/CD pipelines can automate certificate provisioning for every deployment — requesting, validating, and deploying certificates as part of the release process. Here's how to integrate certificate automation into pipelines and where it fails.

Code signing

Code signing uses digital signatures to prove software came from a known publisher and hasn't been tampered with. Here's how it works, what it protects against, and where the signing process fails.

Code signing

Software supply chain security ensures that code, dependencies, build processes, and distribution channels haven't been compromised. Here's how attacks happen, what frameworks exist, and where code signing fits in the defense.

Pki

A Certificate Policy defines what a CA will do. A Certification Practice Statement defines how it does it. Here's what they contain, why auditors care, and where gaps between CP and CPS create real risk.

Pki

IoT devices need cryptographic identity for authentication and encrypted communication. Here's how PKI works at device scale, what's different from server PKI, and where IoT certificate management fails.

Ssl tls

Mutual TLS (mTLS) requires both client and server to present certificates during the handshake, enabling cryptographic identity verification for service-to-service communication. Here's how it works, where it's deployed, and what breaks.

Ssl tls

TLS 1.3 removed insecure algorithms, reduced handshake latency to 1-RTT, and encrypted more of the handshake. Here's what changed, what was removed, and what breaks during migration.

Ssl tls

Certificate validity periods are shrinking from 398 days to 90 days. Here's why shorter lifetimes reduce risk, what the CA/Browser Forum proposals mean for operations, and how to prepare.

Ssl tls

A TLS handshake is the negotiation process that establishes an encrypted connection between client and server. Here's how TLS 1.3 reduced it to one round trip, what happens at each step, and where it fails.

Ssl tls

A TLS certificate binds a public key to a domain identity, enabling encrypted HTTPS connections. Here's how it works, where it breaks, and what engineers need to know.