Elements of a public key infrastructure, Certificate validation – Allied Telesis AT-S62 User Manual

AT-S62 Management Software Menus Interface User’s Guide

Section VII: Management Security

715

Elements of a

Public Key

Infrastructure

A Public Key Infrastructure is a set of applications which manage the
creation, retrieval, validation and storage of certificates. A PKI consists of
the following key elements:

ˆ

At least one Certification Authority (CA), which issues and revokes
certificates.

ˆ

At least one publicly accessible repository, which stores certificates
and Certificate Revocation Lists.

ˆ

At least one End Entity (EE), which retrieves certificates from the
repository, validates them and uses them.

End Entities (EE)

End Entities own public keys and may use them for encryption and digital
signing. An entity which uses its private key to digitally sign certificates is
not considered to be an End Entity, but is a Certification Authority.

The switch acts as an End Entity.

Certification Authorities

A Certification Authority is an entity which issues, updates, revokes and
otherwise manages public keys and their certificates. A CA receives
requests for certification, validates the requester’s identity according to the
CA’s requirements, and issues the certificate, signed with one of the CA’s
keys. CAs may also perform the functions of End Entities, in that they may
make use of other CAs’ certificates for message encryption and
verification of digital signatures.

An organization may own a Certification Authority and issue certificates for
use within its own networks. In addition, an organization’s certificates may
be accepted by another network, after an exchange of certificates has
validated a certificate for use by both parties. As an alternative, an outside
CA may be used. The switch can interact with the CA, whether a CA is part
of the organization or not, by sending the CA requests for certification.

The usefulness of certificates depends on how much you trust the source
of the certificate. You must be able to trust the issuing CA to verify
identities reliably. The level of verification required in a given situation
depends on the organization’s security needs.

Certificate

Validation

To validate a certificate, the End Entity verifies the signature in the
certificate, using the public key of the CA who issued the certificate.

CA Hierarchies and Certificate Chains

It may not be practical for every individual certificate in an organization to
be signed by one Certification Authority. A certification hierarchy may be
formed, in which one CA (for example, national headquarters) is declared