beautypg.com

Managing certificates, Overview, Recommended configuration procedure – H3C Technologies H3C MSR 50 User Manual

Page 485

background image

100

Managing certificates

Overview

Public Key Infrastructure (PKI) offers an infrastructure for securing network services. PKI, also called

asymmetric key infrastructure, uses a pair of keys (one private and one public) for data encryption and
decryption. Data encrypted with the public key can be decrypted only with the private key, and vice

versa.
PKI uses digital certificates to distribute and employ public keys, and provides network communication

and e-commerce with security services such as user authentication, data confidentiality, and data
integrity.
H3C's PKI system provides certificate management for IPsec, SSL, and WAPI.
The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI

has a wide range of applications. Here are some application examples:

VPN—A VPN is a private data communication network built on the public communication

infrastructure. A VPN can leverage network layer security protocols (for example, IPsec) in
conjunction with PKI-based encryption and digital signature technologies to achieve confidentiality.

Secure email—Emails require confidentiality, integrity, authentication, and non-repudiation. PKI
can address these needs. A common secure email protocol is S/MIME, which is based on PKI and

allows for transfer of encrypted mails with signature.

Web security—For Web security, two peers can establish an SSL connection first for transparent
and secure communications at the application layer. With PKI, SSL enables encrypted

communications between a browser and a server. Both the communication parties can verify the
identity of each other through digital certificates. For more information about PKI, see Security

Configuration Guide.

Recommended configuration procedure

The system supports the following PKI certificate request modes:

Manual—In manual mode, you need to manually retrieve a CA certificate, generate a local RSA
key pair, and submit a local certificate request for an entity.

Auto—In auto mode, an entity automatically requests a certificate through the SCEP when it has no
local certificate or the present certificate is about to expire.

You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes

require different configurations.

This manual is related to the following products: