R2511-HP MSR Router Series Security Configuration Guide(V5)
248
3. The CA verifies the digital signature, approves the application, and issues a certificate.
4. The RA receives the certificate from the CA, sends it to the LDAP server or other distribution points
to provide directory navigation service, and notifies the entity that the certificate is successfully
issued.
5. The entity retrieves the certificate. With the certificate, the entity can communicate with other
entities safely through encryption and digital signature.
6. The entity makes a request to the CA when it needs to revoke its certificate. The CA approves the
request, updates the CRLs and publishes the CRLs on the LDAP server or other distribution points.
PKI applications
The PKI technology can meet the security requirements of online transactions. As an infrastructure, PKI
has a wide range of applications. The following lists some common application examples:
• VPN—A VPN is a private data communication network built on the public communication
infrastructure. A VPN can leverage network layer security protocols (for instance, IPsec) in
conjunction with PKI-based encryption and digital signature technologies for confidentiality.
• Secure email—Emails require confidentiality, integrity, authentication, and non-repudiation. PKI
can address these needs. The secure email protocol that is developing rapidly is S/MIME, which is
based on PKI and allows for transfer of encrypted mails with signature.
• Web security—For Web security, two peers can establish an SSL connection first for transparent
and secure communications at the application layer. With PKI, SSL enables encrypted
communications between a browser and a server. Both of the communication parties can verify
each other's identity through digital certificates.
FIPS compliance
Table 14 shows the support of devices for the FIPS mode that complies with NIST FIPS 140 -2 requirements.
Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For
more information about FIPS mode, see Security Configuration Guide.
Table 14 Hardware and FIPS mode compatibility matrix
Hardware FIPS mode
MSR900 No.
MSR93X No.
MSR20-1X No.
MSR20 Yes.
MSR30 Yes (except the MSR30-16).
MSR50 Yes.
MSR1000 Yes.
PKI configuration task list
Task Remarks
Configuring an entity DN Required.