3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

181

182

183

184

185

186

187

188

189

190

188 CHAPTER 12: PKI CONFIGURATION

Terminology ■ Public key algorithm: Key algorithm that involves different encryption key and

decryption key. A pair of keys is generated for each user; one is publicized as

public key; the other is reserved as private key. The information encrypted by

one key has to be decrypted by the other; the key pair therefore is generally

used in signature and authentication. In communication, if the sender signs

with its private key, the receiver needs to authenticate this signature with the

sender’s public key. If the sender encrypt the information with the receiver’s

public key, then only the receiver’s private is capable of decryption.

■ Certificate authority (CA): Trustworthy entity issuing certificates to persons, PCs

or any other entities. CA deals with certificate requests, and checks applicant

information according to certificate management policy. Then it signs the

certificate with its private key and issues the certificate.

■ Registration authority (RA): Extension of CA. It forwards the entities’ certificate

requests to CA, and digital certificates and certificate revocation list to directory

server, for directory browsing and query.

■ Light-weight directory access protocol (LDAP) server: LDAP provides a means to

access PKI repository, with the purpose of accessing and managing PKI

information. LDAP server supports directory browsing and enlists the user

information and digital certificates from a RA server. Then the user can get his

or others’ certificates when accessing the LDAP server.

■ Certificate revocation list (CRL): A certificate has its lifetime, but CA can revoke

a certificate before its expiration date if the private key leaks or if the service

ends. Once a certificate is revoked, a CRL is released to announce its invalidity,

where lists a set of serial numbers of invalid certificates. CRL, stored in LDAP

server, provides an effective way to check the validity of certificates, and offers

centralized management of user notification and other applications.

Applications PKI includes a set of security services provided using the technologies of public key

and X.509 certification in distributed computing systems. It can issue certificates

for various purposes, such as Web user identity authentication, Web server identity

authentication, secure Email using secure/multipurpose internet mail extensions

(S/MIME), VPN (virtual private network), IP Security, IKE, and secure sockets

layer/transport layer security (SSL/TLS). One CA can issue certificates to another

CA, to establish certification hierarchies.

Configuration Task List PKI configuration includes applying to CA for a local certificate for a designated

device and authenticating validity of the certificate. The configuration involves:

■ PKI certificate request

■ PKI certificate validation

■ Display and debug

Certificate Request

Configuration

Certificate Request

Overview

Certificate request is a process when an entity introduces itself to CA. The identity

information the entity provides will be contained in the certificate issued later. CA

uses a set of criteria to check applicant creditability, request purpose and identity

reliability, to ensure that certificates are bound to correct identity. Offline and