218
delegate some of the tasks to an RA and leave the CA to concentrate on its primary tasks of signing
certificates and CRLs.
• Certificate/CRL repository—A certificate distribution point that stores certificates and CRLs, and
distributes these certificates and CRLs to PKI entities. It also provides the query function. A PKI
repository can be a directory server using the LDAP or HTTP protocol, of which LDAP is commonly
used.
PKI operation
The following workflow describes how a PKI entity requests a local certificate from a CA that has RAs:
1. A PKI entity submits a certificate request to the RA.
2. The RA verifies the identity of the entity and sends a digital signature containing the identity
information and the public key to the CA.
3. The CA verifies the digital signature, approves the request, and issues a certificate.
4. After receiving the certificate from the CA, the RA sends the certificate to the certificate repositories
and notifies the PKI entity that the certificate has been issued.
5. The entity obtains the certificate from the certificate repository.
PKI applications
The PKI technology can meet security requirements of online transactions. As an infrastructure, PKI has a
wide range of applications. Here are some application examples.
• VPN—A VPN is a private data communication network built on the public communication
infrastructure. A VPN can use network layer security protocols (for example, IPsec) in conjunction
with PKI-based encryption and digital signature technologies for confidentiality.
• Secure emails—PKI can address the email requirements for confidentiality, integrity, authentication,
and non-repudiation. A common secure email protocol is Secure/Multipurpose Internet Mail
Extensions (S/MIME), which is based on PKI and allows for transfer of encrypted mails with
signature.
• Web security—PKI can be used in the SSL handshake phase to verify the identities of the
communicating parties by digital certificates.
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non
-FIPS mode.
PKI configuration task list
Tasks at a glance
(Required.) Configuring a PKI entity
(Required.) Configuring a PKI domain
(Required.) Requesting a certificate:
To Next Page
Loading...
Need help?
General