Manualshelf

R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router
261262263264265266267268269270
247
statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and
email. Because different CAs might use different methods to examine the binding of a public key with an
entity, make sure you understand the CA policy before selecting a trusted CA for certificate request.
PKI architecture
A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository, as shown
in Figure 69.
Figure 69 PKI architecture
PKI entity—A PKI entity is an end user of PKI products or services, such as a person, an organization,
a device like a router or a switch, or a process running on a computer.
CA—A CA is a trusted authority responsible for issuing and managing digital certificates. A CA
issues certificates, specifies the validity periods of certificates, and revokes certificates as needed
by publishing CRLs.
RAA registration authority (RA) is an extended part of a CA or an independent authority. An RA
can implement functions including identity authentication, CRL management, key pair generation
and key pair backup. The PKI standard recommends that an independent RA be used for
registration management to achieve higher security of application systems.
PKI repositoryA PKI repository can be a Lightweight Directory Access Protocol (LDAP) server or a
common database. It stores and manages information like certificate requests, certificates, keys,
CRLs and logs when it provides a simple query function.
LDAP is a protocol for accessing and managing PKI information. An LDAP server stores user
information and digital certificates from the RA server and provides directory navigation service.
From an LDAP server, an entity can retrieve local and CA certificates of its own as well as
certificates of other entities.
PKI operation
In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check
the validity of certificates. Here is how it works:
1. An entity submits a certificate request to the RA.
2. The RA reviews the identity of the entity and then sends the identity information and the public key
with a digital signature to the CA.