beautypg.com

Pki repository, Applications of pki, Secure e-mail – H3C Technologies H3C S3600 Series Switches User Manual

Page 1168: Web security, Operation of pki

background image

1-3

CA

A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues

certificates, specifies the validity periods of certificates, and revokes certificates as needed by

publishing CRLs.

RA

A registration authority (RA) is an extended part of a CA or an independent authority. An RA can

implement functions including identity authentication, CRL management, key pair generation and key

pair backup. The PKI standard recommends that an independent RA be used for registration

management to achieve higher security of application systems.

PKI repository

A PKI repository can be a Lightweight Directory Access Protocol (LDAP) server or a common database.

It stores and manages information like certificate requests, certificates, keys, CRLs and logs while

providing a simple query function.

LDAP is a protocol for accessing and managing PKI information. An LDAP server stores user

information and digital certificates from the RA server and provides directory navigation service. From

an LDAP server, an entity can retrieve local and CA certificates of its own as well as certificates of other

entities.

Applications of PKI

The PKI technology can satisfy the security requirements of online transactions. As an infrastructure,

PKI has a wide range of applications. Here are some application examples.

VPN

A virtual private network (VPN) is a private data communication network built on the public

communication infrastructure. A VPN can leverage network layer security protocols (for instance, IPSec)

in conjunction with PKI-based encryption and digital signature technologies for confidentiality.

Secure E-mail

E-mails require confidentiality, integrity, authentication, and non-repudiation. PKI can address these

needs. The secure E-mail protocol that is currently developing rapidly is Secure/Multipurpose Internet

Mail Extensions (S/MIME), which is based on PKI and allows for transfer of encrypted mails with

signature.

Web security

For Web security, two peers can establish an SSL connection first for transparent and secure

communications at the application layer. With PKI, SSL enables encrypted communications between a

browser and a server. Both the communication parties can verify the identity of each other through

digital certificates.

Operation of PKI

In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check

the validity of certificates. Here is how it works:

1) An entity submits a certificate request to the RA.

This manual is related to the following products: