Certificate management, Pki overview, Configuring pki – H3C Technologies H3C WA3600 Series Access Points User Manual

238

Certificate management

PKI overview

The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security

through public key technologies, and it is the most widely applied encryption mechanism currently.
H3C's PKI system provides certificate management for IP Security (IPsec), Secure Sockets Layer (SSL), and

WLAN Authentication and Privacy Infrastructure (WAPI).
PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt data. The key pair

consists of a private key and a public key. The private key must be kept secret but the public key needs
to be distributed. Data encrypted by one of the two keys can only be decrypted by the other.
A key problem of PKI is how to manage the public keys. Currently, PKI employs the digital certificate

mechanism to solve this problem. The digital certificate mechanism binds public keys to their owners,

helping distribute public keys in large networks securely.
With digital certificates, the PKI system provides network communication and e-commerce with security

services such as user authentication, data non-repudiation, data confidentiality, and data integrity.
The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI

has a wide range of applications. Here are some application examples:

•

VPN—A virtual private network (VPN) is a private data communication network built on the public
communication infrastructure. A VPN can leverage network layer security protocols (for instance,
IPsec) in conjunction with PKI-based encryption and digital signature technologies to achieve

confidentiality.

•

Secure email—Emails require confidentiality, integrity, authentication, and non-repudiation. PKI
can address these needs. The secure email protocol that is currently developing rapidly is

Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on PKI and allows for

transfer of encrypted mails with signature.

•

Web security—For Web security, two peers can establish a Secure Sockets Layer (SSL) connection
first for transparent and secure communications at the application layer. With PKI, SSL enables

encrypted communications between a browser and a server. Both the communication parties can

verify the identity of each other through digital certificates.

NOTE:

For more information about PKI, see

H3C WA Series WLAN Access Points Security Configuration Guide.

Configuring PKI

The system supports the following PKI certificate request modes:

•

Manual—In manual mode, you must retrieve a CA certificate, generate a local RSA key pair, and

submit a local certificate request for an entity.

•

Auto—In auto mode, an entity automatically requests a certificate through the Simple Certification
Enrollment Protocol (SCEP) when it has no local certificate or the present certificate is about to

expire.