beautypg.com

Ca policy, Pki architecture, Entity – H3C Technologies H3C SecBlade LB Cards User Manual

Page 120: Pki repository

background image

109

CA policy

A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking

certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practice
statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and

email. Because different CAs might use different methods to examine the binding of a public key with an

entity, make sure you understand the CA policy before selecting a trusted CA for certificate request.

PKI architecture

A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository, as shown

in

Figure 39

.

Figure 39 PKI architecture

Entity

An entity is an end user of PKI products or services, such as a person, an organization, a device like an

LB product, or a process running on a computer.

CA

A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues
certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing

CRLs.

RA

A registration authority (RA) is an extended part of a CA or an independent authority. An RA can

implement functions including identity authentication, CRL management, key pair generation and key
pair backup. The PKI standard recommends that an independent RA be used for registration

management to achieve higher security of application systems.

PKI repository

A PKI repository can be a Lightweight Directory Access Protocol (LDAP) server or a common database.

It stores and manages information like certificate requests, certificates, keys, CRLs and logs when it
provides a simple query function.
LDAP is a protocol for accessing and managing PKI information. An LDAP server stores user information

and digital certificates from the RA server and provides directory navigation service. From an LDAP server,

an entity can retrieve local and CA certificates of its own as well as certificates of other entities.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: