beautypg.com

Managing certificates, Overview, Configuration guidelines – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 615: Managing, Certificates

background image

594

Managing certificates

Overview

The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security

through public key technologies. It is the most widely applied encryption mechanism currently. H3C's PKI
system provides certificate management for IP Security (IPsec), and Secure Sockets Layer (SSL).
PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt data. The key pair

consists of a private key and a public key. The private key must be kept secret, but the public key needs

to be distributed. Data encrypted by one of the two keys can only be decrypted by the other.
A key problem of PKI is how to manage the public keys. Currently, PKI employs the digital certificate

mechanism to solve this problem. The digital certificate mechanism binds public keys to their owners,

helping distribute public keys in large networks securely.
With digital certificates, the PKI system provides network communication and e-commerce with security
services such as user authentication, data non-repudiation, data confidentiality, and data integrity.
The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI

has a wide range of applications. Here are some application examples:

VPN—A virtual private network (VPN) provides private data communication on public
communication infrastructure. For security and privacy purposes, it is typically protected by network

layer security protocols such as IPsec and employs PKI encryption and digital signature
technologies.

Secure email—Emails require confidentiality, integrity, authentication, and non-repudiation. PKI
can address these needs. The secure email protocol that is currently developing rapidly is

Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on PKI and allows for

transfer of encrypted mails with signature.

Web security—For Web security, two peers can establish a Secure Sockets Layer (SSL) connection
first for transparent and secure communications at the application layer. With PKI, SSL enables
encrypted communications between a browser and a server. Both the communication parties can

verify the identity of each other through digital certificates.

For more information about PKI, see H3C Access Controllers Security Configuration Guide.

Configuration guidelines

When you configure PKI, use the following guidelines:

Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of
certificates will be abnormal.

The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
PKI entity identity information in a certificate request goes beyond a certain limit, the server will not

respond to the certificate request.

The SCEP plug-in is required when you use the Windows Server as the CA. In this case, you need
to specify RA as the authority for certificate request when you configure the PKI domain.