424
5. The entity retrieves the certificate. The entity can use the certificate to communicate with other
entities safely through encryption and digital signature.
6. The entity makes a request to the CA when it needs to revoke its certificate. The CA approves the
request, updates the CRLs and publishes the CRLs on the LDAP server.
PKI applications
The PKI technology can meet security requirements of online transactions. As an infrastructure, PKI offers
a wide range of applications, including the following examples:
• VPN—A VPN is a private data communication network built on the public communication
infrastructure. A VPN can leverage network layer security protocols (for example, IPSec) in
conjunction with PKI-based encryption and digital signature technologies to achieve confidentiality.
• Secure email—Emails require confidentiality, integrity, authentication, and non-repudiation. PKI
can address these needs. For example, S/MIME is a secure email protocol that is based on PKI and
allows for transfer of encrypted mails with signature.
• Web security—For Web security, two peers can establish an SSL connection first for transparent
and secure communications at the application layer. With PKI, SSL enables encrypted
communications between a browser and a server. Both the communication parties can verify the
identity of each other through digital certificates.
Configuration guidelines
When you configure PKI, follow these guidelines:
• Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of
certificates will be abnormal.
• The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
PKI entity identity information in a certificate request goes beyond a certain limit, the server will not
respond to the certificate request.
• The SCEP plug-in is required when you use the Windows Server as the CA. In this case, specify RA
as the authority for certificate request when you configure the PKI domain.
• The SCEP plug-in is not required when you use the RSA Keon software as the CA. In this case,
specify CA as the authority for certificate request when you configure the PKI domain.
Recommended configuration procedures
The device supports the following PKI certificate request modes:
• Manual—In manual mode, you need to manually retrieve a CA certificate, generate a local RSA
key pair, and submit a local certificate request for an entity.
• Auto—In auto mode, an entity automatically requests a certificate through the SCEP when it has no
local certificate or the present certificate is about to expire.
You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes
require different configurations.
To Next Page
Loading...
Need help?
General