Managing certificates, Feature and hardware compatibility, Pki overview – H3C Technologies H3C SecPath F1000-E User Manual

275

Managing certificates

Feature and hardware compatibility

Feature F1000-A-EI/E-SI/S-AI

F1000-E

F5000-A5 Firewall

module

FIPS No

No

No

Yes

PKI overview

The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security
through public key technologies.
PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt the data. The key

pair consists of a private key and a public key. The private key must be kept secret but the public key

needs to be distributed. Data encrypted by one of the two keys can only be decrypted by the other.
A key problem of PKI is how to manage the public keys. Currently, PKI employs the digital certificate

mechanism to solve this problem. The digital certificate mechanism binds public keys to their owners,

helping distribute public keys in large networks securely.
With digital certificates, the PKI system provides network communication and e-commerce with security
services such as user authentication, data non-repudiation, data confidentiality, and data integrity.
H3C's PKI system provides certificate management for IP Security (IPsec) and Secure Sockets Layer (SSL).

PKI terms

Digital certificate

A digital certificate is a file signed by a certificate authority (CA) for an entity. It includes mainly the

identity information of the entity, the public key of the entity, the name and signature of the CA, and the

validity period of the certificate, where the signature of the CA guarantees the validity and authority of

the certificate. A digital certificate must comply with the international standard of ITU-T X.509. Currently,
the most common standard is X.509 v3.
This document involves local certificate and CA certificate. A local certificate is a digital certificate

signed by a CA for an entity, and a CA certificate is the certificate of a CA. If multiple CAs are trusted

by different users in a PKI system, the CAs will form a CA tree with the root CA at the top level. The root
CA has a CA certificate signed by itself and each lower level CA has a CA certificate signed by the CA

at the next higher level.

CRL

An existing certificate may need to be revoked when, for example, the username changes, the private key

leaks, or the user stops the business. Revoking a certificate is to remove the binding of the public key with
the user identity information. In PKI, the revocation is made through certificate revocation lists (CRLs).

Whenever a certificate is revoked, the CA publishes one or more CRLs to show all certificates that have