HP VPN Firewall Appliances VPN Configuration Guide
259
PKI operation
In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check
the validity of certificates. Here is how it works:
1. An entity submits a certificate request to the RA.
2. The RA reviews the identity of the entity and then sends the identity information and the public key
with a digital signature to the CA.
3. The CA verifies the digital signature, approves the application, and issues a certificate.
4. The RA receives the certificate from the CA, sends it to the LDAP server or other distribution points
to provide directory navigation service, and notifies the entity that the certificate is successfully
issued.
5. The entity retrieves the certificate. With the certificate, the entity can communicate with other
entities safely through encryption and digital signature.
6. The entity makes a request to the CA when it needs to revoke its certificate. The CA approves the
request, updates the CRLs and publishes the CRLs on the LDAP server or other distribution points.
PKI applications
The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI
has a wide range of applications. The following lists some common application examples:
• VPN—A VPN is a private data communication network built on the public communication
infrastructure. A VPN can leverage network layer security protocols (for instance, IPsec) in
conjunction with PKI-based encryption and digital signature technologies for confidentiality.
• Secure email—Emails require confidentiality, integrity, authentication, and non-repudiation. PKI
can address these needs. The secure email protocol that is developing rapidly is S/MIME, which is
based on PKI and allows for transfer of encrypted mails with signature.
• Web security—For web security, two peers can establish an SSL connection first for transparent and
secure communications at the application layer. With PKI, SSL enables encrypted communications
between a browser and a server. Both of the communication parties can verify each other's identity
through digital certificates.
PKI configuration guidelines
When you configure PKI, follow these guidelines:
• Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of
certificates will be abnormal.
• The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
PKI entity identity information in a certificate request goes beyond a certain limit, the server will not
respond to the certificate request.
• The SCEP add-on is required when you use the Windows Server as the CA. In this case, specify RA
as the authority for certificate request by using the certificate request from ra command when you
configure the PKI domain.
• The SCEP add-on is not required when you use the RSA Keon software as the CA. In this case,
specify CA as the authority for certificate request by using the ccertificate request from ca command
when you configure the PKI domain.