Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis
211212213214215216217218219220
202
Configuring PKI
Overview
Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for securing
network services. Data encrypted with the public key can be decrypted only with the private key. Likewise,
data encrypted with the private key can be decrypted only with the public key.
PKI uses digital certificates to distribute and employ public keys, and provides network communication
and e-commerce with security services such as user authentication, data confidentiality, and data
integrity.
HP's PKI system provides certificate management for IPsec, and SSL.
PKI terminology
Digital certificate
A digital certificate is a document signed by a certificate authority (CA). It includes the following
information:
Issuer name (the name of the CA).
Subject name (name of the individual or group to which the certificate is issued).
Identity information of the subject.
Subject's public key.
Signature by the CA.
Period of validity.
The CA's signature ensures the validity and authority of the certificate. A digital certificate binds a public
key to its owner.
A digital certificate must comply with the international standards of ITU-T X.509, of which X.509 v3 is
common.
This chapter covers the following types of certificates:
CA certificateCertificate of a CA. Multiple CAs in a PKI system form a CA tree with the root CA
at the top. The root CA issues a CA certificate to itself, and each lower level CA holds a CA
certificate issued by the CA immediately above it. The certificate of the root CA, the certificates of
intermediate CAs, and the end certificate build a certificate chain. The certificate chain establishes
a chain of trust.
Registration authority (RA) certificate—Certificate issued by a CA for an RA. RAs are trusted by
CAs to accept requests for enrollment in a PKI system, and they are optional in a PKI system.
Local certificate—Digital certificate issued by a CA for the local entity.
Peer certificate—Digital certificate issued by a CA for a peer entity.
Certificate revocation list
A certificate revocation list (CRL) is a list of revoked certificates, and is created and signed by a CA.