beautypg.com

Ca policy, Architecture of pki, Entity – H3C Technologies H3C WX6000 Series Access Controllers User Manual

Page 471: Pki repository

background image

41-2

A CA may publish multiple CRLs when the number of revoked certificates is so large that publishing

them in a single CRL may degrade network performance.

CA policy

A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking

certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practice

statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and

e-mail. As different CAs may use different methods to check the binding of a public key with an entity,

make sure that you understand the CA policy before selecting a trusted CA for certificate request.

Architecture of PKI

A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository, as shown in

Figure 41-1

.

Figure 41-1 PKI architecture

Entity

An entity is an end user of PKI products or services, such as a person, an organization, a device like a

router or a switch, or a process running on a computer.

CA

A certificate authority (CA) is a trusted authority responsible for issuing and managing digital certificates.

A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed

by publishing CRLs.

RA

A registration authority (RA) is an extended part of a CA or an independent authority. An RA can

implement functions including identity authentication, CRL management, key pair generation and key

pair backup. It only examines the qualifications of users; it does not sign certificates. Sometimes, a CA

assumes the registration management responsibility and therefore there is no independent RA. The

PKI standard recommends that an independent RA be used for registration management to achieve

higher security of application systems.

PKI repository

A PKI repository can be a Lightweight Directory Access Protocol (LDAP) server or a common database.

It stores and manages information like certificate requests, certificates, keys, CRLs and logs while

providing a simple query function.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: