If a CRL contains many revoked certificates, the CRL size is large, deteriorating performance
of network resources. To avoid this problem, a CA publishes multiple CRLs and use CRL
distribution points (CDPs) to indicate the location of these CRLs.
12.2 PKI Features Supported by the AR1200-S
On the AR1200-S, you can configure PKI entities, PKI domains, manually or automatically
enroll certificates, authenticate certificate validity, manage certificates, import or export
certificates, and delete expired certificates.
PKI System Architecture
Figure 12-1 shows the PKI system architecture.
Figure 12-1 PKI system architecture
C
e
r
t
i
f
i
c
a
t
e
/
C
R
L
r
e
p
o
s
i
t
o
r
y
End entity
RA
CA
CA
CDP
Operational
interaction
Outband
certificate
loading
Management
interaction
PKI end entity
PKI management
entity
Management
interaction
Management
interaction
Issue
certificate
Issue certificate and CRL
Issue CRL
Certificate
Outband
issuing
The public key infrastructure (PKI) system consists of the following components:
l PKI entity
A PKI entity refers to an end entity or a PKI management entity.
– An end entity is a certificate applicant or user.
– A PKI management entity is an authority that issues or manages certificates. Certificate
authorities (CAs), registration authorities (RAs), and certificate revocation list (CRL)
issuers are PKI management entities. Sometimes an attribute authority (AA) functions
as a CRL issuer.
Huawei AR1200-S Series Enterprise Routers
Configuration Guide - Security 12 PKI Configuration
Issue 02 (2012-03-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
235
To Next Page
Loading...
