226
Configuring PKI
Overview
Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for
securing network services. Data encrypted with the public key can be decrypted only with the private
key. Likewise, data encrypted with the private key can be decrypted only with the public key.
PKI uses digital certificates to distribute and employ public keys, and provides network
communication and e-commerce with security services such as user authentication, data
confidentiality, and data integrity.
Hewlett Packard Enterprise's PKI system provides certificate management for IPsec and SSL.
PKI terminology
Digital certificate
A digital certificate is an electronic document signed by a CA that binds a public key with the identity
of its owner.
A digital certificate includes the following information:
• Issuer name (the name of the CA that issued the certificate).
• Subject name (name of the individual or group to which the certificate is issued).
• Identity information of the subject.
• Subject's public key.
• Signature of the CA.
• Period of validity.
A digital certificate must comply with the international standards of ITU-T X.509, of which X.509 v3 is
the most commonly used.
This chapter covers the following types of certificates:
• CA certificate—Certificate of a CA. Multiple CAs in a PKI system form a CA tree, with the root
CA at the top. The root CA generates a self-signed certificate, and each lower level CA holds a
CA certificate issued by the CA immediately above it. The chain of these certificates forms a
chain of trust.
• Registration authority (RA) certificate—Certificate issued by a CA to an RA. RAs act as
proxies for CAs to process enrollment requests in a PKI system.
• Local certificate—Digital certificate issued by a CA to a PKI entity, which contains the entity's
public key.
• Peer certificate—Digital certificate of a peer, which contains the peer's public key and is signed
by a CA.
Certificate revocation list
A certificate revocation list (CRL) is a list of serial numbers for certificates that have been revoked. A
CRL is created and signed by the CA that originally issued the certificates.
The CA publishes CRLs periodically to revoke certificates. Entities that are associated with the
revoked certificates should not be trusted.
The CA must revoke a certificate when any of the following conditions occurs:
• The certificate subject name is changed.
To Next Page
Loading...
Need help?
General