Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis
211212213214215216217218219220
204
PKI operation
The following workflow describes how a PKI entity requests a local certificate from a CA, and how an RA
is involved in entity enrollment:
1. A PKI entity submits a certificate request to the RA.
2. The RA verifies the identity of the entity and sends a digital signature containing the identity
information and the public key to the CA.
3. The CA verifies the digital signature, approves the request, and issues a certificate.
4. After receiving the certificate from the CA, the RA sends the certificate to the LDAP server or other
certificate repositories to provide directory navigation services. It notifies the PKI entity that the
certificate is successfully issued.
5. The entity obtains the certificate from the certificate repository.
PKI applications
The PKI technology can meet security requirements of online transactions. As an infrastructure, PKI has a
wide range of applications. Here are some application examples.
VPN—A VPN is a private data communication network built on the public communication
infrastructure. A VPN can leverage network layer security protocols (for example, IPsec) in
conjunction with PKI-based encryption and digital signature technologies for confidentiality.
Secure emails—PKI can address the email requirements for confidentiality, integrity, authentication,
and non-repudiation. A common secure email protocol is Secure/Multipurpose Internet Mail
Extensions (S/MIME), which is based on PKI and allows for transfer of encrypted mails with
signature.
Web security—The SSL protocol can be used to establish a secure connection between a client and
a Web server. During the SSL handshake, both parties can use PKI to verify the peer identity by
digital certificates.
Support for MPLS L3VPN
An enterprise might have multiple branches in different VPNs with isolated services. If users in the
branches request certificates from the CA server in the headquarters VPN, PKI support for MPLS L3VPN
is required.
As shown in Figure 66, if the PK
I entity in VPN 1 wants to request a certificate from the CA server in VPN
3, the PE device that connects to the PKI entity transmits the request to the CA server through MPLS L3VPN.
After the CA server receives the request and issues the certificate, the PE device that connects to the CA
server transmits the certificate to the PKI entity.
For information about MPLS L3VPN, see MPLS Configuration Guide.