241
Configuring PKI
Overview
The PKI uses a general security infrastructure to provide information security through public key
technologies.
PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt the data. The
key pair consists of a private key and a public key. The private key must be kept secret but the public
key needs to be distributed. Data encrypted by one of the two keys can only be decrypted by the
other.
A key problem with PKI is how to manage the public keys. PKI employs the digital certificate
mechanism to solve this problem. The digital certificate mechanism binds public keys to their owners,
helping distribute public keys in large networks securely.
With digital certificates, the PKI system provides network communication and e-commerce with
security services such as user authentication, data non-repudiation, data confidentiality, and data
integrity.
Hewlett Packard Enterprise's PKI system provides certificate management for IPsec, SSL, and
WAPI.
PKI terminology
Digital certificate
A digital certificate is a file signed by a certificate authority (CA) for an entity. It includes mainly the
identity information of the entity, the public key of the entity, the name and signature of the CA, and
the validity period of the certificate, where the signature of the CA ensures the validity and authority
of the certificate. A digital certificate must comply with the international standard of ITU-T X.509. The
most common standard is X.509 v3.
This document involves local certificate and CA certificate. A local certificate is a digital certificate
signed by a CA for an entity, and a CA certificate is the certificate of a CA. If multiple CAs are trusted
by different users in a PKI system, the CAs will form a CA tree with the root CA at the top level. The
root CA has a CA certificate signed by itself and each lower level CA has a CA certificate signed by
the CA at the next higher level.
CRL
An existing certificate might need to be revoked when, for example, the username changes, the
private key leaks, or the user stops the business. Revoking a certificate will remove the binding of the
public key with the user identity information. In PKI, the revocation is made through certificate
revocation lists (CRLs). Whenever a certificate is revoked, the CA publishes one or more CRLs to
show all certificates that have been revoked. The CRLs contain the serial numbers of all revoked
certificates and provide an effective way for checking the validity of certificates.
A CA might publish multiple CRLs when the number of revoked certificates is so large that publishing
them in a single CRL might degrade network performance, and it uses CRL distribution points to
indicate the URLs of these CRLs.
CA policy
A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and
revoking certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of
certification practice statement (CPS). A CA policy can be acquired through out-of-band means such
as phone, disk, and email. Because different CAs might use different methods to examine the
To Next Page
Loading...
Need help?
General
