1220 CHAPTER 97: PKI CONFIGURATION
CRL
An existing certificate may need to be revoked when, for example, the user name
changes, the private key leaks, or the user stops the business. Revoking a
certificate is to remove the binding of the public key with the user identity
information. In PKI, the revocation is made well known through certificate
revocation lists (CRLs). Whenever a certificate is revoked, the CA publishes one or
more CRLs to announce that the certificate is invalid. The CRLs contains the serial
numbers of all certificates that are revoked and function an effective way for
checking the validity of certificates.
A CA may publish multiple CRLs when the number of revoked certificates is so
large that publishing them in a single CRL may degrade network performance.
CA policy
A CA policy is a set of criteria that a CA follows in managing certificate requests
and in issuing, revoking, and publishing CRLs. Usually, a CA advertises its policy in
the form of certification practice statement (CPS), which can be acquired through
out-of-band means such as phone, disk, and e-mail or through other means. Since
different CAs may use different methods to check the binding of a public key with
an entity, make sure that you understand the CA policy before selecting a trusted
CA for certificate request.
Architecture of PKI A PKI system consists of entities, a CA, a registration authority (RA) and a PKI
repository, as shown in Figure 360.
Figure 360 PKI architecture
Entity
An entity is an end user of PKI products or services, such as a person, an
organization, a device like a switch, or a process running on a computer.
CA
A CA is a trusted entity responsible for issuing and managing digital certificates. A
CA issues certificates, specifies the validity period of a certificate, and revokes a
certificate as needed by publishing CRLs.
PKI manager
Certificate / CRL repository
Entity
RA
CA
PKI client
Issue a
certificate
Issue a certificate
/ CRL
To Next Page
Loading...
