41 pki, Pki overview, Pki terms – H3C Technologies H3C WX6000 Series Access Controllers User Manual
Page 470: Digital certificate, N tree. refer to, Rmation, see, Tails, refer to
41-1
41
PKI
The sample output in this manual was created on the WX5004. The output on your device may
vary.
The grayed out functions or parameters on the Web interface indicate that they are not supported
or cannot be modified.
The models listed in this manual are not applicable to all regions. Please consult your local sales
office for the models applicable to your region.
PKI Overview
The Public Key Infrastructure (PKI) is a hierarchical framework designed for providing information
security through public key technologies and digital certificates and verifying the identities of the digital
certificate owners.
PKI employs digital certificates, which are bindings of certificate owner identity information and public
keys. It allows users to obtain certificates, use certificates, and revoke certificates. By leveraging digital
certificates and relevant services like certificate distribution and blacklist publication, PKI supports
authenticating the entities involved in communication, and thus guaranteeing the confidentiality,
integrity and non-repudiation of data.
PKI Terms
Digital certificate
A digital certificate is a file signed by a certificate authority (CA) that contains a public key and the
related user identity information. A simplest digital certificate contains a public key, an entity name, and
a digital signature from the CA. Generally, a digital certificate also includes the validity period of the key,
the name of the CA and the sequence number of the certificate. A digital certificate must comply with the
international standard of ITU-T_X.509. This manual involves two types of certificates: local certificate
and CA certificate. A local certificate is a digital certificate signed by a CA for an entity, while a CA
certificate, also known as a root certificate, is signed by the CA for itself.
CRL
An existing certificate may need to be revoked when, for example, the user name changes, the private
key leaks, or the user stops the business. Revoking a certificate is to remove the binding of the public
key with the user identity information. In PKI, the revocation is made through certificate revocation lists
(CRLs). Whenever a certificate is revoked, the CA publishes one or more CRLs to show all certificates
that have been revoked. The CRLs contain the serial numbers of all revoked certificates and provide an
effective way for checking the validity of certificates.